When businesses and government departments outsource parts of their technology operations to third-party specialists, IT security needs to be given greater focus, according to analyst firm Meta Group.

Earlier this year the Inland Revenue made IT security a key element of its £3bn Aspire outsourcing contract with Capgemini.

The department learned a lesson after one incident, during the previous EDS contract, when its security department found out about cost-saving plans to shut a data centre and move sensitive information to a shared site only after an internal memo was circulated.

"Our impression is that when companies outsource different business processes or parts of their data centre, they often forget to include the external supplier in the security strategy, and create flaws in the process as a result," explained Peter O'Neill, vice president for consulting at Meta.

Creating secure outsourcing contracts
According to Meta, only 58 per cent of companies that outsource security services establish suitable controls with their partners, such as responsibilities, processes, security metrics and penalties for not meeting service level agreements. And only 57 per cent of firms review and approve security controls put in place by their outsourcer.

Even more worrying, just 56 per cent of companies say that security policy responsibilities stay in-house, implying that 44 per cent do not maintain accountability for their security when outsourcing parts of the business.

"You would be amazed at the amount of companies that outsource their infrastructure and don't know what security measures are being put in place," said Dr Alastair MacWillson, security practice partner at Accenture, which runs parts of the NHS National Programme for IT contract. "Companies need to ensure that they have a visible window into their outsourcer's security plans."

Shaun Gough, business development director at Unisys' European outsourcing unit, recommends companies to work more closely with outsourcing partners to ensure that projects comply with growing regulatory requirements.

"Businesses should always ensure that the outsourcer takes on the operating responsibilities that they have," he explained. "The outsourcer needs to know that they must adhere to these regulations, new laws and even internal policies so that they can build it into their security solution."

But by adopting security dashboards, which give an overview of network vulnerabilities, and by introducing metrics and key performance indicators, IT departments can have a clearer view of what outsourcers are doing, according to MacWillson.

The Inland Revenue is one organisation to adopt this approach, dictating that all processes implemented by Capgemini and partners Fujitsu Services and BT must meet the BS7799 security standard.

And ensuring that core business processes achieve this level of security makes it easier to introduce the standard in the Revenue itself, said Dave Evans, head of security at the Inland Revenue.

"We now have in place a security governance structure, security accreditation processes, and we approve subcontractors," he explained.

More than 42 per cent of companies outsource one or more aspects of IT security, according to Meta. Vulnerability audits top the list of outsourced security functions, with 19 per cent of businesses trusting third parties to carry out system penetration tests and network scanning.

A similar number of companies are hiring external consultants for advice on safeguarding core systems, with 17 per cent of businesses working with suppliers to monitor devices such as firewalls, virtual private networks and intrusion detection systems. Fourteen per cent of businesses interviewed by Meta also trust outsourcers to manage these technologies.

But, despite the high cost of security planning, only 10 per cent of firms outsource activities such as business continuity and regulatory compliance.

"It's a lot of money to make this kind of investment in business continuity systems in-house," said Ray Stanton, global head of security services at BT Group. "Especially when you can go to a company that provides these services and provides cost savings through scales of economy."

And as standards such as BS7799 become more established, companies wanting to outsource IT security will make further savings, according to O'Neill.

"It will become easier for suppliers to offer outsourced security, and cheaper for firms wanting to outsource. It will be an advantage for both sides," he said.

To outsource or not to outsource
But should firms be outsourcing IT security, given the important role it plays in protecting companies from downtime and theft of intellectual property?

"You could say the same for other things that are outsourced, like your communications network," said MacWillson. "As long as you have a reputable partner and the policies in place, why shouldn't you? More and more companies are saying: 'We don't want to do this, as it's too complex and hard to administer.'"

But more needs to be done to raise awareness of security issues through training, with only eight per cent of firms hiring outside professionals to provide such a service, according to Meta.

"You will see a continuous growth in managed security services, but firms need to ensure that they put service levels, training and policies in place," explained Stanton. "It's about undertaking the right due diligence. You need to establish a level of confidence in the outsourcer."

daniel_thomas@vnu.co.uk