But security outsourcing still tends to elicit negative views.

"My bias is against it," says Jon Gossels, president of consultancy SystemExperts, which advises corporations on security strategy, with a focus on regulatory issues.

Gossels says he could see outsourcing a few "discrete functions," such as log monitoring or penetration testing. "But I've never seen large-scale outsourcing work well," Gossels cautions. "Security is a business enabler, and the decisions you make every day in your IT infrastructure impact the business. I don't see how you can do that in an outsourcing way."

That appears to remain the dominant view.

A survey of 479 security professionals conducted by the US Computer Security Institute late last year asked what percentage of computer security functions were outsourced in their organizations. Sixty-one per cent of the respondents -- who hailed from industries as diverse as finance, transportation, retail, education, telecom as well as government --answered "none".

Only 5 per cent had outsourced more than 60 per cent of computer security functions, with 2 per cent in the 81 per cent to 100 per cent range. The CSI survey concluded, "While there's certainly a market for outsourcing some kind of security tasks (security testing of customer-facing Web applications being one such example) where the specialized nature of the work and the ability to segregate the task for access to key enterprise assets make outsourcing more appealing, it doesn't appear that the appetite for such outsourcing is growing overall."

CSI, which conducts an annual security survey, said the results related to the question of outsourcing security haven't changed in the three years since they started asking it.