“Should we keep IT security in-house or is it better to outsource?” This has long been a thorny issue for organizations. Recently, it was one of the most important topics during a Leaseweb Security Round Table with customers and I’d like to share some of the things I learned.
The discussion immediately took off following a statement from one of the participants, an end user: “In the Netherlands, the mantra is to focus on your core business. I dare to differ. I always learned that when operations are critical to your organization, you should keep them close. If security is critical to your company, why outsource it? If you outsource, you disconnect it from your company. What do you think about this?”
The question was addressed directly towards the Round Table organizers, employees of Leaseweb, including yours truly. I didn’t have to think long about the answer though. If it were up to me, I would not advise you to have in-house systems. I would outsource the IT systems to the cloud. Security is core business for cloud providers. They are experienced, patching frequently and accurately. If you have to choose between in-house or the cloud, the cloud is the most secure option. But outsourcing is always also based on trust. The question thus becomes: do you trust your provider enough to outsource your security?
When I proposed this during the discussion, one of the participants provided his insight: “It depends on what kind of company you are. We are an IT company, which means our processes are ISO 27001 certified. We make sure we patch our systems. We update our hardware, switches and firewalls on a regular basis, to ensure we adhere to the latest technological standards.”
Another participant also added that: “Sometimes, outsourcing will be the best solution. If your organization lacks sufficient resources, you have to let someone do it who has all the proper knowledge.”
As you can see, two very different points of view (which made it a great discussion). Eventually we managed to connect these two very different point of views. It’s good to keep security close. But how do you do this? A large organization has its own resources. But if you are smaller and are forced to outsource your IT security, you still have to ask the right questions to make sure you understand and know everything is being arranged safely.
And there you have it. There is no one-size-fits-all answer. As the oracle of Delphi advised: know thyself.