Question B: Under what circumstances, if any, would it make sense for a business to outsource information-security functions offshore?

Our advice: The question is a two-pronged one because it involves making two decisions: Whether to outsource the security function, and; Whether to outsource offshore as opposed to onshore.

What Security To Outsource?
Here are the typical services of a security-services vendor: Intrusion-detection systems that monitor your network for suspicious activity and prevent attacks VPNs that secure the privacy of data communications Strong authentication devices that identify users before granting access to information resources, and permit remote users to securely connect to corporate intranets Virus, vandal, and Web-site-blocking services that filter malicious data and control website access; and Network scanning services that scan your network to identify potential vulnerabilities and recommend fixes.

Any and all of the above may be outsourced for cost savings, increased reliability, and better monitoring.

However, when it comes to moving the security function offshore, several other considerations come into play.

In outsourcing the security function offshore, one can control the incidence of virus attacks, system failures, denial-of-service attacks, Web-site and E-mail intrusion, etc. The greatest cost of security breaches, however, is the loss of confidential data. By outsourcing security offshore, are you opening yourself to the possibility of further loss of confidential data by involving a third party, which could possibly be located half-way around the globe, to "secure" your network and IT infrastructure?

Challenges Of Offshoring Security
The challenges associated with working with an offshore security-services partner include: The geographic distance results in a partial loss of control on the security function. Laws and government philosophies may not be in alignment with what we are familiar and comfortable with in the U.S. It requires additional due diligence, above and beyond that required for onshore outsourcing of the security function. There are currently an insufficient number of qualified information-security resources in offshore destinations.

Overcoming These Challenges There are challenges if you choose to offshore security. Remember, "offshoring begins onshore." Here are some suggestions:

Conclusions And Recommendations
Under what circumstances does it make sense for a business to outsource the information security function offshore? When there is a well-defined security function within the organization, with clear parameters and standards that can be communicated via the outsourcing service-level agreement. When there's synergy between the business and the vendor, and both have conducted their due diligence to ensure the ability to comply with the information security function. When the business is willing and able to allocate resources to the management and supervision, including periodic audits, of the outsourced security function; and When the business is willing and able to take ultimate responsibility for any possible breakdown in the information-security function, onshore or offshore.

Don't give away the keys to the kingdom, but rather use diligent outsourcing of information security to enable you to focus on your core competencies.

--Sanjay Anand

Beth Cohen, TAC Thought Leader, has more than 20 years of experience building strong IT-delivery organizations from user and vendor perspectives. Having worked as a technologist for BBN, the company that literally invented the Internet, she not only knows where technology is today but where it's heading in the future. Sanjay Anand, TAC Expert, has more than 20 years of IT and business-process management experience as a strategic adviser, certified consultant, speaker, and published author. More than 100 personal clients, large and small, have included companies from a diverse array of industries and geographies, from academia to technology and from Asia to the Americas. Often referred to as a "consultant's consultant" for training and mentoring skills. He is author of books "The Sarbanes-Oxley Guide for Finance and Information Technology Professionals" and "J.D. Edwards OneWorld: A Beginner's Guide."