A new book is out that sounds worth reading. It's titled, Outsourcing Information Security by C. Warren Axelrod. I don't have my hands on it yet, but you can read a review of it on Slashdot here.
The reviewer writes:
The author's general tone is against the outsourcing of information security; but provides readers with the various benefits and risks involved in outsourcing security, and let's them ultimate decide if outsourcing security is right for their organization. It is the reader who must define, evaluate and manage those risks and determine if outsourcing is a viable solution. These include technology, business and legal risks.
You can read the publisher's description of the book here.