Transference, a risk control strategy that transfers risks to other areas or external entities (Whitman, 2018), is a practice that has become increasingly popular in modern times. With the steady rise of organizations utilizing MSPs (managed services providers) in place of internal IT, infosec, and web dev personnel, more companies are handing over the responsibility of creating and protecting information assets to a third-party. In the risk transference strategy, something as simple as purchasing property insurance for your organization is an excellent example of how another entity can assume risk, thus relieving the organization of any financial responsibility in the event of a fire, storm, or theft.
Another example of an organizational risk transference strategy would be outsourcing an organization’s general security practices to an MSP; in such an arrangement, the MSP would be directly responsible for all specified security practices for the organization, meeting the decided-upon SLA requirements that both entities set. In my opinion, using risk transference for insurance-related activities is optimal due to not requiring a vast number of internal legal and financial employees to create, manage, and audit insurance events, policies, and claims. While using an MSP for security-related operations can be beneficial for smaller organizations, an MSP, without communication with some form of internal infosec or IT staff, can be severely lacking in protective measures due to the MSP’s lack of in-depth knowledge of the organization.
In my experience, an MSP can provide many useful functions in regards to fulfilling typical IT operations; however, to solely rely on an outsider to understand a company’s specific security needs by basing their adjustments on the layout, importance, and usage of its information assets, would create more problems than it would solve. At the very least, a company can indeed minimize the size of their IT or infosec department by utilizing an MSP, however, the risk transference should never be entirely one-sided, as it should be the responsibility of all to ensure the proper continuation and security of data flow and storage, to and from the organization.
Whitman, M. E., & Mattord, H. J. (2018). Management of Information Security (6th ed.). Singapore: Cengage Learning Asia Pte Ltd.