Source: Computer Weekly
10 Aug 2018

Almost any critical security control can be outsourced, with a range of services on offer – from low-level, largely commoditised services – such as firewalls, network monitoring and anti-virus management – through to consultancy and bespoke services tailored to a specific organisation and a given deliverable.

Organisations can buy hours, completion of a particular activity or the expertise of an individual, such as CISO-as-a-service offerings. Organisations cannot, however, outsource risk or responsibility.

Irrespective of whether fault rests with a third party for a security incident, it will be the reputation of the organisation that suffers. For this reason, it is imperative that the information risks associated with any outsourcing arrangements are carefully evaluated and that the obligations of the supplier or service provider are precisely defined.

Read Full Article