I wrote about outsourcing Identity Management back in July, which was an extension to another post I made in 2007.
Corbin Links left a well thought out, rather lengthy (in a good way) comment in response and makes a couple of good points.
He submits that businesses do not care about security and best practices:
"I’m sure I may ruffle a few feathers by saying this to some, but business -- by and large -- does not care about security. (Except for providers of security-related products and services...) Or rather, business only cares to the extent that market forces, customers, and regulatory agencies demands it."
"businesses invest in security because they have to, not because they want to."
and that best practices
"are the practices all organizations think they should be practicing, but in actuality do not. It’s a term that helps sell frameworks, tools, and conference passes, but that has very little tangible impact in many organizations."
He goes on to say:
"What businesses *do* care about, is processes, methods, and tools that can facilitate making money, improving bottom and top-lines, improving customer satisfaction, improving end-user experience, reducing time to marketing, reducing help desk costs and calls, streamlining processes, etc."
He brings up the point that industries that do not traditionally buy Identity and Access Management solutions would like them, but just don't have the expertise or the budgets. In this respect, they would gladly pay for the service and outsource it all:
"For many, the premise of outsourced management of IAM is very attractive. Because, many organizations realize that they:
1)Do not have the core competencies
2)Will never have the core competencies
3)Will never be in the business themselves of providing IAM-related services
4)Do not have their processes modeled
5)Do not have enough information or expertise, or time to define their current, much less future-state business processes
6)Are not qualified to determine accurately what risks really exist, levels of data protection needed, data classification levels, etc."
I agree with some of what he says through his comments, particularly regarding the fact that the "non-traditional Identity Management buying market" (particularly SMB) just don't do it because they can't justify the costs and effort required. A managed offering would certainly be more attractive in this respect.
I still don't discount the fact that there are data, privacy and security concerns that need to be worked through. Sure, some organisations will not care too much (probably because they don't have the big regulatory stick being waved at them) but it is up to us as professionals to make sure they care, especially if we're the ones providing the service to them. We have an ethical obligation to do so. And if in the process of educating organisations they decide not to buy anything, so be it (I can see all the sales people saying "nooooo why are you saying that?!?!").
As for the statement that business does not care about security and best practices (or only care as much as they need to), it depends. A majority behave this way (and I've been in many sales situations where we play on this fact), but I've also met C-level executives (including CEOs) that certainly do care about security. Sure, most of the time it's because they "don't want to be on the front page of the Wall Street Journal". It is rare that someone will care just because of ethical reasons and want their overal security posture to be sound (or dare I say, world class). But they do exist. And the ones that care know that they MUST have security in mind because they "do not know what they do not know." That is, they need to be proactive about security rather than reactive. Unfortunately, most organisations fall into the reactive category and so Corbin is mostly right.
I encourage you to read the comments and submit your own thoughts.