Outsourcing Security Part 1: Noting the Benefits
Written By: Jim McLendon
Published On: April 2002
Remember the carefree days of summer? The memories aren't so positive for many corporations hit by cyber attacks during the summer of 2001. Three especially menacing threats-CodeRed, CodeRed II, and Nimda-cost U.S. corporations more than 12.3 billion dollars. After the fall-out, one company reported it had over 60 software engineers working for a week to recover from Nimda, and it still had work to do.
For many organizations, these recent network security breeches, as well as cyber terrorism discussions in the wake of the September terrorist attacks, have served as a wake-up call regarding the need for information security. Without effective security, companies risk losing money and customer trust. With good security, companies have the power to maintain stakeholder value, customer loyalty, and competitive advantage.
The Internet and the big "E's": e-business, e-commerce, and e-retailing, contribute to today's necessity for a protected company network. Big-even small-holes can lead to formidable problems. Consequently, a bullet-proof security program is critical to an enterprise's survival. Whether this effective security management comes from an in-house or outsourced program is a decision that must be made within a corporation using only its best data.
the first of a three-part series on managed security services, the following
describes why many organizations are choosing to outsource management and monitoring
of security systems.
is Part 1 of a 3-part article.
Part 1 notes the benefits of outsourcing security.
Part 2 will evaluate the cost of such an outsourcing.
Part 3 will provide guidelines for selecting a security services provider
Open for Business
E-commerce and e-business initiatives inspire companies to move toward an open, distributed network-computing environment. These environments are designed to enable employees, customers, partners, suppliers, and distributors to exchange and access information critical to conducting business. Unfortunately, these same networked environments create vulnerabilities that allow disgruntled workers, hackers, and other types of attackers-both internal and external-to wreak havoc on corporate systems through malicious acts of fraud and vandalism.
With customers and business partners dependent on accessing critical product and service data via open networks such as the Internet, companies must ensure the integrity of this information or risk jeopardizing their reputation and brand equity. The need to protect the bottom line, as well as corporate image and customer trust, drives the demand to effectively manage information security.
Other situations challenge today's networked businesses:
in deliberate criminal behavior directed at corporations
Following the September 11 terrorist attacks, government attention has increased
focus on legislation calling for stricter punishments for hackers. Even with
this focus, recent studies find the rate of cyber attacks to be on the rise.
Research also reveals that some industries are more often victimized than
others. Specifically, the high-tech, financial services, media, and energy
sectors experience the most frequent attacks.
An increasingly mobile workforce, telecommuting, and remote computing create
special security problems for companies. Enterprises are driven not only by
the desire to protect their information and physical assets, but also by the
need to ensure worker productivity. There is an increasing acceptance of worker
mobility and remote computing, but traditional corporate LANs and WANs are
insufficient to support this growing off-site work force. As remote access
to corporate networks increases, so does the need to protect transmission
of information to these remote points.
Surrounded by Obstacles
While security has never been so critical to the profitability of an enterprise, businesses face a number of barriers to achieving and maintaining in-house security programs.
of qualified security professionals
IT personnel are short in supply. According to The Meta Group, businesses
face a deficit of over 1 million IT professionals in the matter of a few years.
Experienced information security professionals are even harder to find, expensive
to hire, and difficult to retain due to extremely strong market demand. This
contributes to a high attrition rate among security workers that can reduce
a company's ability to effectively safeguard its valuable information assets.
resources and infrastructure to support 24x7 security
To provide around-the-clock security coverage, requirements are many: manpower
and supporting hardware, as well as software and equipment to build, upgrade,
maintain, operate, and control the systems. Companies often find these security
necessities don't fit with limited corporate resources sanctioned to support
the organization's primary business requirements.
complexity of security technology
Security for today's networks and information systems is more complex than
a few years ago. The methods and technologies used by hackers grows more sophisticated
each month. Particularly threatening are the devastating payloads of blended
threats. After being planted, blended threats simultaneously search out a
variety of vulnerabilities. Unlike a hacker who targets a specific application
or entity, blended threats currently carry as many as four different ways
of propagating themselves. Experts warn future blended threats may contain
as many as 15 or 20 propagation methods.
of time to dedicate to security issues
Keeping pace with the latest protection strategies demands extensive time
and training. For in-house professionals, tracking new cyber threats, vulnerabilities,
hacker techniques, and security developments removes them from other mission-critical
activities that provide higher return on investment.
Numerous organizations currently managing security in-house are looking for alternatives to overcome these obstacles. They want a way to maintain a strong security posture while focusing on core, revenue-generating e-business functions.
Outside the Box
For a growing number of organizations-large to small-outsourcing security tasks offers improved information protection by a seasoned team of experts in a cost-effective manner. According to a June 2000 survey by Hurwitz Group, as many as a quarter of companies with more than $10 billion in annual sales are using or considering handing over some of their security, such as firewalls, anti-virus software, virtual private networks, or intrusion detection, to a managed security service provider.
Analyst firm Gartner Dataquest states managed security services, defined as outsourced management and monitoring of security systems, is the fastest growing segment of the information security services market. "Managed Security Services Providers (MSSPs) use high-availability security operation centers (either from their own facilities or from data center providers) to support 24X7 services designed to reduce the number of operational security personnel an enterprise must hire, train, and retain to maintain an acceptable security posture."
For organizations facing the challenges of orchestrating in-house security, outsourced security represents a more effective alternative. Among other benefits, managed security offers the following:
of positive company reputation
By protecting critical assets from damage, theft and misuse, managed security
services help organizations avoid negative publicity and reduce network downtime
that can lead to diminished revenues and customer dissatisfaction.
to focus on company growth
At the strategic level, managed security services can free organizations to
focus their IT resources on strategic initiatives more central to core business
With the growing complexity and importance of today's networks and information
systems, managed security services offer the concentration and components
needed to provide a complete, impenetrable security management program.
following table details comparisons between in-house and outsourced security.
Security Software License
Security Services Provider
must hire, train and retain talent
provides skilled resources
must assume all risks
shares operation risks
scalability prohibits efficiency and effectiveness
efficiencies via MSSP's scalability
on skill, processes, and expertise of internal staff
by diligence, guaranteed response times, security vulnerability research,
and cumulative expertise of MSS team
on skill, processes, and expertise of staff
protection, critical alert notification and appropriate levels of response
based on event severity
A good managed security services provider can offer companies several advantages, including:
of cumulative knowledge and experience of dedicated security experts
The expertise of the MSSPs' security analysts and engineers who manage and
monitor security devices on a full-time basis is a valuable resource. These
analysts research and respond to security incidents and attacks every day.
This means they are considerably more aware of potential threats and more
knowledgeable about how to thwart attacks than a company's in-house staff.
responsibility with trusted security partner
MSSPs offer service-level agreements that provide the contractual obligation
to deliver services in a particular manner within a certain response time.
In addition, MSSPs provide security expertise with considerable experience
with intrusion detection and incident response practices.
24x7 security management
A good number of companies turn to MSSPs for outsourced security monitoring
and incident response-tasks that require constant vigilance. MSSPs provide
an "always-on" business environment, guarding their clients' networks and
insfrastructures to ensure protection during the very hours most hackers will
of existing security products
A good managed security services provider ensures that purchased solutions
are installed, implemented, and integrated to provide the on-going value a
company needs and expects.
- A cost-effective
approach to security management
By using MSSPs to provide protection for critical information assets, companies
can avoid extensive personnel costs associated with hiring, training, and
retaining security professionals. Managed security services reduce total cost
of ownership by allowing transfer of personnel costs to a variable expense.
Because managed services are billed on a monthly basis, it also allows a company
to better predict and mange its security-related budget.
concludes Part 1 of a 3-part article.
1 notes the benefits of outsourcing.
2 will evaluate the cost of outsourcing.
3 will provide guidelines for selecting a security services provider.
McLendon, Vice President of Symantec Security Services Global Business
Development, has more than 40 years experience in information security and information
operations. McLendon joined AXENT, and subsequently Symantec through acquisition,
after a distinguished career with the United States Air Force. As a retired
colonel, he has a wealth of expertise and command experience in special operations,
intelligence, and electronic warfare and information warfare. He has managed
large, diverse and geographically separated organizations, with leadership responsibilities
for more than 2,100 highly technical personnel. Much of his career was spent
in locations such as Taiwan, Vietnam, the United Kingdom, and Germany.
McLendon is a graduate of both the Air Force's Air War College and Air Command and Staff College. He earned his Masters of Science degree in Human Resources Management from Troy State University and his Bachelor of Arts degree in Management from the University of Maryland.
can be reached at Jmclendon@symantec.com
or for more information on Symantic Security Systems, go to www.symantec.com.