The report showed that the number and cost of security breaches appears to be on the increase, large enterprises being especially vulnerable. The survey attributes much of this trend to the growing use of externally hosted web-based services.
 
Previous surveys warned that "deployment of effective controls tends to lag behind the more rapid adoption of new technologies". The nature and number of incidents reported in 2010 indicate the trend is continuing.
 
Outsourcing and offshoring of IT services and business processes are powerful business improvement practices, capable of delivering impressive cost savings and operational benefits. At the same time, they introduce many significant changes to the supply chain. In particular, they bring about a major transformation of business, technology and security risk profiles.
 
With growing concerns about fraud and espionage set against a background of increasing regulatory compliance demands to safeguard personal data, the implications for security and privacy have become one of the most significant issues for any organization planning a major outsourcing or offshoring initiative.

The report also noted that a risk-based standard such as ISO 27001  is "increasingly becoming the lingua franca for information security" and two-fifths of large organizations have been asked by their customers to comply with the ISO.

There is surprisingly little published guidance about specifying and managing the security issues associated with outsourcing and offshoring. BSI's new book aims to fill that gap by setting out practical advice, methods and best practices for identifying and managing the security risks associated with the outsourcing and offshoring of IT or business services.

Industry guru David Lacey (right) has shared his expert knowledge with BSI Standards, to show organizations how to apply BS ISO/IEC 27001 and related standards, to build a safer outsourced programme.

In his latest publication Managing Security in Outsourced and Offshored Environments. How to Safeguard Intellectual Assets in a Virtual Business World, Lacey explains that the book is a culmination of his "experience as a senior security and technology director, including two decades of practical experience in specifying and managing the security, governance and risk management requirements for large commercial contracts, including a few in excess of a billion pounds in value."

A sample chapter can be downloaded here.