In light of recent conversations at work i have been wondering what other people think about outsourcing of security to parties outside the organisation.

The reason for this is that whilst looking after the security of the network there are some parts, namly our VPN link, that are not in control of us and we have limited access to view the concentrator logs.
I am wondering what others think as i am of the opinion that if you are going to our source it should be all or nothing, depending on the size of the oranisationand resources available. The reason for this in my case, historically, was that there was not the skill base in-house to cope with this.
I find it increasingly difficult to work on keeping a network secure when there is a grey area that i have no access to that connects to the internet.
Having sneaked a look at the config of the firewall that the 3rd party controls, i have become increasing alarmed as although our request for changes have been actioned there are several inconsistances that give me concerns as to how it is managed.
The main problem i see with outsourcing of security devices in pieces is that you have to assume that the other party are doing a good job. We have on many occasions asked for a config of the devices but trying to find someone willing to give it out is very hard.
I just think that without knowledge of the internal network it is very difficult for a 3rd party to be able to work efficiently, plus the fact that any changes required take time to do and are chargable even when testing so simple tests tend to turn into a headbanging exercise of paper configs and working it though step my step to see if it should in theory work.
There is a movement to trasnfer these devices back to internal control, led by me due to the remote connection becoming more critical.
Anyway after my rant i feel better but my main point is that i have to make sure the network meet accredication standards that are high but how can anyone say the perimeter is secure when there is this grey area?
Even with external testing of the devices you have to assume that the config of devices is updated and kept locked down, but without access how does anyone know and if you have access to the config would it not be easier to do it yourself.
I can understand smaller companies needing to outsource such services due to manpower and internal resource but is there any place for this in mid-larger organisations?
Correct me if i am out of order on this.

One of the biggest problems I have seen with external security contractors is that they often do not gain enough familiarity with your site to provide effective cover. This is not always the case, particularly with smaller sites, but ask yourself how many other customers are vieing for their attention at any one time.

The catch is that smaller companies cannot afford a dedicated security staff and simply dumping this role on an existing staff member may not be an adequate solution. Horse for courses.

Jim