Global economic troubles have motivated many companies to seek alternative means of conducting business that will cut costs and maximize profits. One of the most popular and effective methods is outsourcing of the Information Security (IS) infrastructure. According to a recent study commissioned by Savvis, Inc., this number is predicted to increase by almost 67% globally by 2020. Is outsourcing has its benefits; however, it often comes with high risk. EC-Council addressed the security challenges of outsourcing during a panel discussion at its CISO Executive Summit in December 2011.

“The challenges of outsourcing are similar to those you may have with the acquisition (insourcing) process. When acquiring a new company you need to ensure that due diligence has been completed prior to acquisition and integration, as you now will be responsible for the security of that company’s data. This is the same with outsourcing,” said Jeff Tutton, CISO Executive Summit Panel Chair and President of Global Security and Compliance at Intersec Worldwide, “Hire a trusted and qualified third party to complete a thorough evaluation of the outsourcing company. But don’t just stop there. Put methods and controls in place to monitor and maintain the security of this data during the entire lifecycle. Trust but verify, and assign responsibility to a qualified person within your organization to manage and maintain oversight of security. Another option is to outsource only the data and systems that you want to end up in the public domain.”

Tutton recently lead an interactive panel discussion centered on outsourcing and IS management at EC-Council’s Inaugural CISO Executive Summit for Chief Information Security Officers. He was joined by Todd Bell, Executive IT Security Advisor, ConnectTech, LCC, Inno Eroraha, Founder & CEO, NetSecurity Corporation, Chris Oglesby, Senior VP, Knowledge Consulting Group, and Edward Ray, CISO, MMICMAN, LLC. The panel discussion addressed the challenges of managing risk and monitoring the outsourcing company’s performance, while complying with recent industry changes such as SAS70 and PCI compliance. To view an interactive video of the panel discussion.

Tutton’s panel discussion presented a detailed overview of the benefits and challenges of outsourcing in respect to Information Security. Globally, over 60% of organizations cite that managing the IT infrastructure domestically does not have any competitive advantages and are planning to move operations offshore. However, many offshore companies do not have the same legal restrictions as the United States. For instance, India, one of the biggest destinations for offshore outsourcing, does not have any data privacy laws. This lax in law enforcement leaves confidential information vulnerable to security breaches.

Last year, Epsilon, a cloud-based email service provider, suffered a security breach that ended up affecting around 75 clients and compromised over 60 million personal names and email addresses. Security breaches such as this can be extremely costly and detrimental to a company’s reputation.

“If an organization is looking to do a large infrastructure outsourcing engagement, the best way to ensure that security is a priority is to build a comprehensive list of security requirements into outsourcing contracts, develop appropriate service level agreements and reporting mechanisms to evaluate security and budget for a review by an independent assessment organization. This will ensure that security always stays top of mind,” said panel speaker Chris Oglesby. “If, however, the decision is to outsource infrastructure and security separately, then the security operations should drive the direction and outcomes and create independence between the organizations to meet the client needs.”

In the future, companies need to employ executive IS leaders who will develop methods to adequately protect the IT infrastructure when outsourcing in-house responsibilities. Platforms, such as EC-Council’s CISO Executive Summit Series, provide a means for top-level IS executives to gather and discuss the latest industry challenges. Continuous education and knowledge sharing will provide solutions to the quandaries top-executives face on a daily basis. For more information on upcoming EC-Council CISO Executive Summits.