Outsourcing Security Part 1: Noting the Benefits

  • Written By:
  • Published:


Remember the carefree days of summer? The memories aren't so positive for many corporations hit by cyber attacks during the summer of 2001. Three especially menacing threats-CodeRed, CodeRed II, and Nimda-cost U.S. corporations more than 12.3 billion dollars. After the fall-out, one company reported it had over 60 software engineers working for a week to recover from Nimda, and it still had work to do.

For many organizations, these recent network security breeches, as well as cyber terrorism discussions in the wake of the September terrorist attacks, have served as a wake-up call regarding the need for information security. Without effective security, companies risk losing money and customer trust. With good security, companies have the power to maintain stakeholder value, customer loyalty, and competitive advantage.

The Internet and the big "E's": e-business, e-commerce, and e-retailing, contribute to today's necessity for a protected company network. Big-even small-holes can lead to formidable problems. Consequently, a bullet-proof security program is critical to an enterprise's survival. Whether this effective security management comes from an in-house or outsourced program is a decision that must be made within a corporation using only its best data.

As the first of a three-part series on managed security services, the following describes why many organizations are choosing to outsource management and monitoring of security systems.

This is Part 1 of a 3-part article.

Part 1 notes the benefits of outsourcing security.
Part 2 will evaluate the cost of such an outsourcing.
Part 3 will provide guidelines for selecting a security services provider

Open for Business

E-commerce and e-business initiatives inspire companies to move toward an open, distributed network-computing environment. These environments are designed to enable employees, customers, partners, suppliers, and distributors to exchange and access information critical to conducting business. Unfortunately, these same networked environments create vulnerabilities that allow disgruntled workers, hackers, and other types of attackers-both internal and external-to wreak havoc on corporate systems through malicious acts of fraud and vandalism.

With customers and business partners dependent on accessing critical product and service data via open networks such as the Internet, companies must ensure the integrity of this information or risk jeopardizing their reputation and brand equity. The need to protect the bottom line, as well as corporate image and customer trust, drives the demand to effectively manage information security.

Other situations challenge today's networked businesses:

  • Rise in deliberate criminal behavior directed at corporations
    Following the September 11 terrorist attacks, government attention has increased focus on legislation calling for stricter punishments for hackers. Even with this focus, recent studies find the rate of cyber attacks to be on the rise. Research also reveals that some industries are more often victimized than others. Specifically, the high-tech, financial services, media, and energy sectors experience the most frequent attacks.

  • Growing mobile workforce
    An increasingly mobile workforce, telecommuting, and remote computing create special security problems for companies. Enterprises are driven not only by the desire to protect their information and physical assets, but also by the need to ensure worker productivity. There is an increasing acceptance of worker mobility and remote computing, but traditional corporate LANs and WANs are insufficient to support this growing off-site work force. As remote access to corporate networks increases, so does the need to protect transmission of information to these remote points.

Surrounded by Obstacles

While security has never been so critical to the profitability of an enterprise, businesses face a number of barriers to achieving and maintaining in-house security programs.

  • Shortage of qualified security professionals
    IT personnel are short in supply. According to The Meta Group, businesses face a deficit of over 1 million IT professionals in the matter of a few years. Experienced information security professionals are even harder to find, expensive to hire, and difficult to retain due to extremely strong market demand. This contributes to a high attrition rate among security workers that can reduce a company's ability to effectively safeguard its valuable information assets.

  • Insufficient resources and infrastructure to support 24x7 security
    To provide around-the-clock security coverage, requirements are many: manpower and supporting hardware, as well as software and equipment to build, upgrade, maintain, operate, and control the systems. Companies often find these security necessities don't fit with limited corporate resources sanctioned to support the organization's primary business requirements.

  • Rising complexity of security technology
    Security for today's networks and information systems is more complex than a few years ago. The methods and technologies used by hackers grows more sophisticated each month. Particularly threatening are the devastating payloads of blended threats. After being planted, blended threats simultaneously search out a variety of vulnerabilities. Unlike a hacker who targets a specific application or entity, blended threats currently carry as many as four different ways of propagating themselves. Experts warn future blended threats may contain as many as 15 or 20 propagation methods.

  • Lack of time to dedicate to security issues
    Keeping pace with the latest protection strategies demands extensive time and training. For in-house professionals, tracking new cyber threats, vulnerabilities, hacker techniques, and security developments removes them from other mission-critical activities that provide higher return on investment.

Numerous organizations currently managing security in-house are looking for alternatives to overcome these obstacles. They want a way to maintain a strong security posture while focusing on core, revenue-generating e-business functions.

Outside the Box

For a growing number of organizations-large to small-outsourcing security tasks offers improved information protection by a seasoned team of experts in a cost-effective manner. According to a June 2000 survey by Hurwitz Group, as many as a quarter of companies with more than $10 billion in annual sales are using or considering handing over some of their security, such as firewalls, anti-virus software, virtual private networks, or intrusion detection, to a managed security service provider.

Analyst firm Gartner Dataquest states managed security services, defined as outsourced management and monitoring of security systems, is the fastest growing segment of the information security services market. "Managed Security Services Providers (MSSPs) use high-availability security operation centers (either from their own facilities or from data center providers) to support 24X7 services designed to reduce the number of operational security personnel an enterprise must hire, train, and retain to maintain an acceptable security posture."

For organizations facing the challenges of orchestrating in-house security, outsourced security represents a more effective alternative. Among other benefits, managed security offers the following:

  • Maintenance of positive company reputation
    By protecting critical assets from damage, theft and misuse, managed security services help organizations avoid negative publicity and reduce network downtime that can lead to diminished revenues and customer dissatisfaction.

  • Freedom to focus on company growth
    At the strategic level, managed security services can free organizations to focus their IT resources on strategic initiatives more central to core business priorities.

  • Improved information protection
    With the growing complexity and importance of today's networks and information systems, managed security services offer the concentration and components needed to provide a complete, impenetrable security management program.

The following table details comparisons between in-house and outsourced security.

Traditional Security Software License Managed Security Services Provider
Entry cost High Low
Installation and implementation Requires in-house resources MSSP handles implementation
Time to value Long Short
Skilled resources Company must hire, train and retain talent MSSP provides skilled resources
Security risk Company must assume all risks MSSP shares operation risks
Efficiency and effectiveness Limited scalability prohibits efficiency and effectiveness Greater efficiencies via MSSP's scalability
Security posture Dependent on skill, processes, and expertise of internal staff Improved by diligence, guaranteed response times, security vulnerability research, and cumulative expertise of MSS team
Response Dependent on skill, processes, and expertise of staff 24x7 protection, critical alert notification and appropriate levels of response based on event severity

A good managed security services provider can offer companies several advantages, including:

  • Use of cumulative knowledge and experience of dedicated security experts
    The expertise of the MSSPs' security analysts and engineers who manage and monitor security devices on a full-time basis is a valuable resource. These analysts research and respond to security incidents and attacks every day. This means they are considerably more aware of potential threats and more knowledgeable about how to thwart attacks than a company's in-house staff.

  • Shared responsibility with trusted security partner
    MSSPs offer service-level agreements that provide the contractual obligation to deliver services in a particular manner within a certain response time. In addition, MSSPs provide security expertise with considerable experience with intrusion detection and incident response practices.

  • Reliable 24x7 security management
    A good number of companies turn to MSSPs for outsourced security monitoring and incident response-tasks that require constant vigilance. MSSPs provide an "always-on" business environment, guarding their clients' networks and insfrastructures to ensure protection during the very hours most hackers will attack.

  • Maximization of existing security products
    A good managed security services provider ensures that purchased solutions are installed, implemented, and integrated to provide the on-going value a company needs and expects.

  • A cost-effective approach to security management
    By using MSSPs to provide protection for critical information assets, companies can avoid extensive personnel costs associated with hiring, training, and retaining security professionals. Managed security services reduce total cost of ownership by allowing transfer of personnel costs to a variable expense. Because managed services are billed on a monthly basis, it also allows a company to better predict and mange its security-related budget.

This concludes Part 1 of a 3-part article.

Part 1 notes the benefits of outsourcing.

Part 2 will evaluate the cost of outsourcing.

Part 3 will provide guidelines for selecting a security services provider.

About the Author

Jim McLendon, Vice President of Symantec Security Services Global Business Development, has more than 40 years experience in information security and information operations. McLendon joined AXENT, and subsequently Symantec through acquisition, after a distinguished career with the United States Air Force. As a retired colonel, he has a wealth of expertise and command experience in special operations, intelligence, and electronic warfare and information warfare. He has managed large, diverse and geographically separated organizations, with leadership responsibilities for more than 2,100 highly technical personnel. Much of his career was spent in locations such as Taiwan, Vietnam, the United Kingdom, and Germany.

McLendon is a graduate of both the Air Force's Air War College and Air Command and Staff College. He earned his Masters of Science degree in Human Resources Management from Troy State University and his Bachelor of Arts degree in Management from the University of Maryland.

He can be reached at Jmclendon@symantec.com or for more information on Symantic Security Systems, go to www.symantec.com.

comments powered by Disqus