Google Answers Logo
View Question
Q: Outsourcing Security - Why it is a bad idea. ( Answered 2 out of 5 stars,   2 Comments )
Subject: Outsourcing Security - Why it is a bad idea.
Category: Computers > Security
Asked by: unclebuck-ga
List Price: $75.00
Posted: 09 Aug 2002 06:54 PDT
Expires: 08 Sep 2002 06:54 PDT
Question ID: 52562
I would like to know why it is a BAD idea to outsource security for a
firm with 5000 employees?  We currently have a highly trained security
staff in place. We have firewalls, internal, external network and host
based IDS systems, strong security policies and procedures. 
Additionally, I would like specific examples of security outsourcing
catastrophes that other firms may have experienced.
Subject: Re: Outsourcing Security - Why it is a bad idea.
Answered By: netcrazy-ga on 09 Aug 2002 11:23 PDT
Rated:2 out of 5 stars
Hello and thank you for this question.

Outsourcing, whether it be long-term or short-term has core cause and
affect symptoms that currently aren't being remedied. It has both pros
and cons and depending on how you’ve outsourced your security, it can
turn out to be good or bad.

There is a great article posted on Network Magazine site and it very
well discusses this issue of outsourcing.
Outsourcing Security - Is turning over the keys the best way to secure
your enterprise?

It is nothing new for a company to buy goods or services from other
companies. It is neither rational nor reasonable for a company to do
absolutely everything in-house. The question is therefore what a
company should do in-house and what others can do better. When a
company changes tack and decides that jobs that have previously been
done in-house are to be done by a contractor, we call it outsourcing.
Even if outsourcing is by no means new, there will be consequences
each time a decision is made to outsource, consequences which can be
both positive and negative for the company's employees.

Bruce Schneier of Counterpane Internet Security, Inc., wrote about
outsourcing security. Here is that article.

Classic Outsourcing Blunders

Outsourcing looms for core security. According to this article,
outsourcing can be good or bad. It all depends on how you have your
agreement done with the outsourcing company. It has given some major
questions that should be asked while looking for an outsourcing
company. Questions related to experience, SLA’s, services,
infrastructure should be investigated to come up with the best
company. Read more on this.

Shutdown of Pilot Network Services is a classic example of how
outsourcing your security can put a company right on to the steps of
disaster. On April 25, 2001, Pilot Network Services went out of
business, abandoning 200 customers that relied on them for something
rather important: security. Check out more details about how it
happened, its impact on customers and how they dealt with this trauma.

A similar example on the same grounds is of Salinas Network Services,
who were the largest firewall management company. They also

11 Questions to Help You Select the Best Service & Support Provider.
Their questions include some major issues like How consistent is the
expertise level, what third-party reviews have been done, and what
monitoring can you perform and so on.

2002: Year of the bad outsourcing deal – Read this article by Andy
McCue. According to the analyst company Gartner, 2002 and 2003 will
see record numbers of outsourcing deals that go bad.

Outsourcing can offer definite advantages - but only if you do it
right. Outsourcing is fraught with danger for the unwary executive or
corporate counsel. There are pros and cons to outsourcing:
          - improved service and performance, 
          - better management control,
          - improved business focus and many others

          - nickel-and-dime syndrome ("I have to charge you extra for
this, and this and that"),
          - contract termination problems, 
          - loss of in-house expertise and more
So, what is the best way to find out whether outsourcing is good for
you or not. Here is a 20-step program created by WSR Consulting Group,
LLC to help you in this.

Outsourcing Security Management. The need for outsourcing is explained
here. They have covered many aspects in the discussion and have also
given many links to dig more on this.

A totally different view is given over here. According to this
article, the demand for third-party security services will exceed
$17.2 billion by the end of 2004.,10801,57980,00.html

Bruce Schneier says that "On the one hand, the promises of outsourced
security seem so attractive: the potential to significantly increase
your network's security without hiring half a dozen people or spending
a fortune is impossible to ignore. On the other hand, there are the
stories of managed security companies going out of business, and bad
experiences with outsourcing other areas of IT. It's no wonder that
paralysis is the most common reaction to the whole thing." He says
very clearly that don’t outsource your security management. This is
the best and safe way to have any sort of bad experience with

There is a similar discussion regarding "Should enterprises outsource
security to a third party?" is posted on this page
( ).
As quoted, some argue it may not be wise to relinquish control of
security to a third party. But, this has been done for years in
securing brick-and- mortar businesses. The same principles hold true
for Internet security. Enterprises should look for a reputable
security partner. However, another point says that "Leaving security
decisions to IT staff or to technology-centric security outsourcers is
ineffective and inefficient. A company must take a security posture
that puts business requirements first and evaluates all security
measures against those requirements. That's why security overall
belongs in-house."

Companies are outsourcing IT security to cut costs of around-the-clock
surveillance. But, some doubt the risk is worth the savings.

Outsourced Security On The Rise

The collapse of once-promising companies such as Pilot Network
Services Inc. and Salinas Group sounds like the rumblings of a
shakeout beginning in an emerging market. Use caution when choosing a
managed security vendor.

Further links:

Tips For Successful Security Outsourcing

Outsourcing security a good plan, but be careful out there,289483,sid10_gci769748,00.html

The realities of outsourcing

Find out which technologies network executives are happy to outsource
and which parts of their network they don't want anyone else to touch.

Search terms used:

In Google: 

Outsourcing Security: 

In Pandia:

outsourcing security:

I hope this helped. Feel free to ask for clarification, and if you are
satisfied with this answer, then do rate it.

unclebuck-ga rated this answer:2 out of 5 stars
It could be more in depth and focused, a little less generic. I was
looking for specific examples of companies that had outsourced all or
part of their SECURITY only and had experienced major problems with
that decision, not an introduction to outsourcing 101.  There is some
useful information.  However, most of it is fluff.  It would appear
that this is partly my fault due to my expectations of the Google
Answers service.  I travel quite extensively and do not have the time
for detailed research.  If anyone were listening from Google, I would
be willing to pay for more through and professional research.

Subject: Re: Outsourcing Security - Why it is a bad idea.
From: infosecguy-ga on 19 Aug 2002 09:57 PDT
CHeck out
to get a more involved answer
Subject: Re: Outsourcing Security - Why it is a bad idea.
From: halcyon985-ga on 29 Oct 2002 23:49 PST
It seems like you are looking for justification for something.  It's
really a silly question, of course there are disaster stories of
companies who have outsourced for security.  But there are also horror
stories of companies who have inhouse.  The best is a mix of both
worlds, an inhouse team that works with outsourced professionals from
time to time to keep them trained, and above all provide penetration

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  

Google Home - Answers FAQ - Terms of Service - Privacy Policy