Book Review: Outsourcing Information Security
Whenever the topic of outsourcing comes up, some find it difficult to think rationally. The decision of whether (and what) to outsource hinges on factors that are difficult to estimate, and the hidden agendas or preconceived notions of the decision makers come into play. Such is the case with information security risk management decisions as well: subjectivity reigns. Combine the two together, and what do you get? The world of information security consulting firms and managed security service providers (MSSPs).
Outsourcing Information Security by C. Warren Axelrod was intended to guide the uninitiated through each step of the outsourcing process, helping to steer clear of the pitfalls and achieve a partnership with the service provider that is of lasting benefit. However, much of the content is not specific to information security, which was not only disappointing, but a missed opportunity as well. I picked up the book hoping to find advice on selecting risk assessment specialists, auditors, penetration testers, policy developers, and business continuity consultants. Instead, the focus was on generic business issues related to outsourcing that would be considered common sense by most managers. In short, the book would have been more useful had it been aimed at an audience with sound knowledge of business management and limited exposure to information security, not the other way around.