We hit on this a little in the IDS / IPS thread I started a while back (http://www.antionline.com/showthread...hlight=ids+ips ), but I wanted to have further discussion on the pros and cons of managed or outsourced security.

In the aforementioned thread Tiger Shark talked in depth about why he is opposed. I have gotten similar remarks from Marcus Ranum to the effect that if you don't have the knowledge and skill set to provide your own security you also don't have the knowledge and skill set to evaluate and select a provider so you're damned if you do and damned if you don't.

Still, for some services and some companies I don't know if its fair to lump everything and every service together and say they're all bad. CERT has an extensive document detailing the benefits and risks of outsourcing security and including in depth practices to help guide the whole process. You can find that here: Outsourcing Managed Security Services

So- lets have some more discussion. Is outsourcing good? bad? what are the pros and cons, risks and benefits, caveats and pitfalls???