Outsourcing security a good plan, but be careful out there
Can you trust an outsider to handle your information security? Yes,
if you proceed with caution and ask all the right questions.
by Johanna Ambrosio
Paying someone else to watch over your information is a good business
strategy, experts agree, but you need to make this move only after a
considerable amount of up-front planning and research.
First, you should never outsource all of your security needs. Second,
you need to pay extremely close attention to know exactly what you're
buying -- what's included in the contract. And third, you must select
your provider very carefully, especially given the recent failure of
two high-profile security outsourcers.
Just about all businesses, whether large or small, can benefit from
some degree of outsourcing. But the smaller you are, the more likely
that you'll need to let someone else manage a good portion of your
SPONSORED BY: EMC
How did Oracle consolidate its worldwide IT infrastructure and save
over a billion dollars in operating costs?
- By partnering with EMC to seamlessly consolidate 43 worldwide
data centers into two locations, serving 43,000 employees in 145
- By leveraging an EMC E-Infostructure to power their CRM, ERP and
- By consolidating server storage to EMC Symmetrix systems to
eliminate recurring storage-related
Find out how EMC's networked storage solution, software, and global
services helped Oracle improve availability, increase IT resource
efficiency, and reduce total cost of ownership.
To learn more, click here.
Be careful, though, not to abdicate all your security needs to an
outsider. "Outsourcers shouldn't be your only security option," warns
Cate Quirk, an analyst at AMR Research in Boston. "You need to keep
your intellectual property or public-key infrastructure or secure ID
layout closer to home with an in-house security administrator. You
don't want an outsider to have complete and total control over
everything," she says.
There are dozens of specialized security outsourcers -- also called
managed security service providers (MSSPs). The most popular array of
services includes selecting, installing and monitoring three key
systems: your corporate firewall, virtual private network and
intrusion-detection setup. Managed antivirus services and Web content
filtering and blocking are becoming more popular, says Allan Carey, a
senior analyst at IDC in Framingham, Mass.
All of these services can be purchased discretely or as a bundled
suite, depending on your needs.
Prices are generally based on one of two things: a flat monthly fee,
or one that's based on the number of systems and devices that are
being monitored. Monthly fees can range from $2,000 to $15,000 or
more, depending on what level of service you want.
You can, for example, choose to have all your audit logs delivered to
you unedited. Then you'll need to go through them to see what's being
hacked on your network. Alternatively, your MSSP will aggregate and
go through the logs for you, and will deliver summary data that
explains where your vulnerabilities are.
Similarly, if there is a problem, you can elect to have the MSSP deal
with it -- find and fix the issue either on- or off-site -- or you
can choose to resolve the problem yourself.
Another issue that affects the price you pay: whether the MSSP is
monitoring your systems and is available to resolve any problems on a
24x7 basis. And it's worth asking how many people at the MSSP's shop
will be available to you, either on a dedicated or as-needed basis,
as well as what the response time is in the event of a security
breach. Another issue to raise is scalability. Make sure your
provider can grow with your business.
Also, keep in mind that services can vary a great deal from vendor to
vendor, which makes doing apples-to-apples comparisons difficult.
The big names in the MSSP field include Riptech Inc.
Va., Internet Security Systems Inc.
in Atlanta, and Counterpane Internet Security, Inc.
in Cupertino, Calif., AMR's Quirk says. Other providers
include Foundstone Inc.
in Irvine, Calif., and Guardent Inc.
in Waltham, Mass.
This list used to include two more names: Pilot Network Services and
Salinas Group, both of which recently shut their doors with no
warning to customers. Their failure, especially in an area as
mission-critical as security, points to the need for customers to do
a lot of examination before settling on a vendor, Carey says.
"Both Pilot and Salinas were companies that had been around for a
while," Carey explains. "That's one of the reasons that many
perspective customers are asking MSSPs for financial statements as
well as customer references, to make sure the vendor is financially
stable." Most suppliers, even private companies, will share financial
information with would-be clients under nondisclosure agreements.
Despite the market casualties, IDC is predicting that the need for
managed security services will continue to grow by a compound annual
rate of approximately 28%. Carey says that the U.S. market in 2000
was around $720 million, and this should grow to around $2.4 billion
in 2005. In addition to the increased need for these kinds of
services, a shortage of IT security professionals will help fuel the
growth, he says.
Carey suggests that customers "look carefully at service level
agreements and examine where the liabilities are placed" -- on the
service provider or the customer. He also advises to start small, by
outsourcing one or two small components of your security, and then
assessing how it's going and adding more services if you're happy.
"It can be an incremental process," he says.
MORE ON THIS TOPIC:
Read about outsourced security options in searchServiceProvider's Best Web Links.
has assembled resources on managed security in this
This was first published in September 2001