Over the last couple of years it has been hard to miss all the stories about data breaches at outsourcing firms. Often, the largest outsourcers in the world. If you're about to set up an outsourcing program, you may be thinking, "Why take on the security risks of outsourcing when my own network has never been penetrated by hackers? In fact I don't think I have any security issues!"
If that was true, and you had a perfect security history, it might be a good reason to think twice before you outsourced. However, very few corporations have a perfect record. Sometimes, news of a corproate security problem makes it to the press, but these are usually linmited to breaches of the catastrophic variety. Every day there are smaller problems that are not reported, and there are large-scale problems that the corporation is not aware of, because they do not have the same level of intruder testing that outsourcers have.
If the corporation is aware of a major breach, where the records of hundreds of thousands of users are stolen, it would be reported. However, if a single computer gets a virus, it would not be reported. For everything in between, it's not very clear what does and doesn't get reported. However, a new lawsuit may change that.
Patco Construction Company recently sued its bank for $350,000 it lost due to a security breach, because: 1) The bank was aware of suspicious "probing" of the account, 2) The bank's security systems were inadequate by industry standards, 3) The bank chose not to report their information to their customer, allowing the data thieves time to steal money from their account.
So, it's a lot harder to tell the difference between corporations that have few explicit rules about informing the general public about security issues and outsourcing firms that may have very specific contractual obligations to report to many individual customers, and therefore, make more regular public admissions of security issues. You need to do your own homework, but don't assume that just because you don't read about security problems that your firm's record is perfect. Dig around and ask about third party testing, how frequently security attacks are simulated, etc.