Outsourcing, particularly in the information security space, should be about helping clients improve their security performance, rather than about vendors improving their performance at the expense to their clients. A recent comment from security software firm Solutionary, as reported in SC Magazine here, was that security audits are a bad thing in that they can encourage complacency. While there is sometimes truth in the argument, I think this is bending reality a little too conveniently to suit someone’s own marketing agenda. Of course complacency is the last thing that we need if IT security is to be achieved, but the answer isn’t necessarily to outsource the whole problem to a (doubtless excellent) security provider like Solutionary. IT security is a real concern for a lot of businesses for whom a security audit is an integral part of a balanced and comprehensive approach to information security. For these firms, security audits are very definitely an essential part of an affordable security solution. The important point is to ensure that audits don’t exist in isolation but are part of a proper ISMS system that ensures compliance with – you guessed it – ISO 27001.