This article can also be found in the Premium Editorial Download "Information Security magazine: Special manager's guide: Monitoring identities."

Download it now to read this article plus other related content.

Security is a notoriously difficult area in which to prove ROI; what is being measured is often the cost of nothing bad happening. To realize realistic ROI, focus on metrics that can be measured rather than estimated.

For VM outsourcing, review how the service may save your enterprise head count. Are there full-time employees currently in charge of internal scanning, monitoring vulnerability lists and deploying patches? If so, how many of them can be reassigned to other jobs if the VM task is outsourced? Don't forget that you will still need staff to manage the outsourcer, as well as some to oversee escalation and change management approval.

Many enterprises are outsourcing vulnerability management to reduce demands on internal personnel and resources. There are many benefits that can be realized by outsourcing VM. Overall head count requirements for VM may go down as the tasks are assigned to the outsourcer and, subsequently, internal resources can be reassigned to other projects.

But VM outsourcing is not a decision to be made lightly. For the best chance at success, think through the questions and concerns that matter to your enterprise and get the answers from your outsourced agency in writing.

Remember that while much of the labor and resource requirements can be outsourced, accountability cannot. Someone at your organization will still be on the hook to ensure that the outsourcer takes the correct steps in managing

    Requires Free Membership to View

the vulnerabilities. If all your white shirts come back from the laundry gray due to a bad process, who has to go to work the next day in a gray shirt? If your systems are attacked because the right patches or configurations were not applied, who takes the fall?

Think carefully about the process and how it will work optimally for your organization before dumping this laundry load on an outsourcer.

This was first published in August 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: