Outsourcing Security vs. Doing It In-House

More companies, particularly those with over 1,000 employees, are increasing their security budgets and hiring chief information security officers, despite the recession, according to my colleagues in the industry. This makes sense, given that companies know they need to protect their business operations from an unscheduled shut-down from a data breach. When margins are slim, even a brief interruption of lost productivity can put companies into the red.
As these companies beef up their security management, they will instantly recognize that some parts of security can and should also be outsourced. As security guru Bruce Schneier says in an essay that is as relevant now as when it was first published years ago, The Case for Outsourcing Security:
“Medical care is a prime example of outsourcing that works well. Everyone outsources healthcare; we don't act as our own doctor. More to the point, no one hires a private personal doctor… Network security is no different. Companies should outsource expert assistance: vulnerability scanning, monitoring, consulting, and forensics, for example.”
Outsourcing security is a simple matter of cost-effectiveness, something all companies require now more than ever. Schneier goes on:
“Think about healthcare again. I might only need a doctor twice in the coming year, but when I need one I might need him immediately, and I might need specialists. Out of a hundred possible specialties, I might need two of them—and I have no idea beforehand which ones. I would never consider hiring a team of doctors to wait around until I happen to get sick. I outsource my medical needs to my clinic, my emergency room, my hospital. Similarly, companies will outsource network security monitoring.”
Outsourcing security can be just what the doctor ordered for companies that need to take care of security while paying attention to the bottom line.