Outsourcing Security Part 2: Measuring the Cost

  • Written By: Jim McLendon
  • Published On: April 9 2002



Introduction

For organizations of all sizes, outsourcing security is becoming an increasingly attractive method for maintaining a strong security posture. In fact, outsourced security is the fastest growing segment of the information security services market, according to a recent Gartner Dataquest study.

Often, the decision to outsource security is based on cost: Can the company effectively outsource or co-source security management functions while still realizing a good return on investment?

The following is part two of a three-part series on outsourced security. This article helps organizations calculate the cost for managing security and provides a real-life scenario of cost comparisons to help organizations build a foundation for a financial analysis when considering a managed security services provider (MSSP).

This is Part 2 of a 3-part article.

Part 1 noted the benefits of outsourcing security.

Part 2 evaluates the cost of such an outsourcing.

Part 3 will provide guidelines for selecting a security services provider.

Bolstering Budgets

Along with a rise in cyber attacks, experts say the outsourced services market is growing as a result of the September 11 terrorist attacks. The tragic events have caused a marked increase in government spending, much of which will be directed to consultants and outside managed security service providers.

Gartner estimates that as much as 40 percent of all external IT spending went to services in 2000-as opposed to purchases of hardware or software-and IT services will account for 45 percent of all end-user spending by 2004. In dollar figures, Gartner says worldwide spending is valued at $363 billion today, and should reach $569 billion by 2004.

Calculating Costs

Evaluating the cost of outsourcing can be challenging because most organizations cannot fully estimate the financial impact of such a decision. In fact, a recent InfoWorld outsourcing study of 100 technology professionals said that 61 percent of organizations did not know how much money their company would save in the next 12 months by outsourcing IT functions. This is true for most organizations considering outsourcing security services.

When a company considers outsourcing managed security services, it must estimate several variables over the duration of the managed security services contract:

  • All relevant capital and operating costs
  • Costs of supervising the managed security services provider
  • The "cost of money" and interest costs
  • Residual value of equipment and facilities
  • Cost of transition, including personnel
  • Cost of changes in direction and level of resources
  • Cost of contract modifications

In addition, the range of services an MSSP provides can vary. Some MSSPs will only manage certain security products and technologies and require a specific brand of security technology be purchased or swapped-out for an organizations' existing technology. Other MSSPs require additional purchases of specialized or proprietary technology for log file and event stream collection, analysis, and filtering.

To effectively compute the total cost of ownership of in-house security management, a wide range of costs must be considered over a number of years. A company must identify and evaluate both overt and hidden costs. The following sections list many of the costs of a security management program.

Equipment

Hardware and software costs
For in-house security management, companies must determine the cost of all hardware and software necessary for security management and operations. This includes servers, PCs, and peripheral equipment, as well as all associated operating systems, database, application, and security software. Additional hardware and software required to support the security operations include system and network management tools, help desk systems, integrated management consoles and knowledge-based management systems and software.

License costs
The cost of all software licenses, including patches, incremental updates, and new versions of the software should be calculated over the expected software lifecycle.

Maintenance
Maintenance fees for software and equipment must be factored into the total cost of ownership. Software maintenance is typically 15 to 25 percent of the list price of the software annually. An organization with $1 million in software licenses will pay $150,000 in maintenance costs (on the low end) each year. Companies should be aware of the level of support they receive for that cost. Some managed security services contracts provide 8 or 10 hours of coverage and support, while others deliver 24x7 support.

Personnel
Staffing for information security professionals is perhaps the most crucial, most difficult, and most costly component of an effective security management program. The top market challenge is hiring and retaining a skilled base of security professionals. The cost of staffing includes not just the cost of salaries, but also additional compensation (bonuses, stock incentives, etc.), space, and equipment costs, and the cost of ongoing education and training. The salaries of security administrators and officers vary depending on geography and level of skill and expertise. According to a recent survey by InformantionWeekresearch.com, average compensation for staff level (not management) information security professionals in the Dallas area is:

High Average Low
$88,375 $71,750 $64,000

If a company has a typical 8 a.m. to 5 p.m. operations day, but plans to expand to 24x7 security operations, then it must consider staffing multiple shifts of workers to provide coverage 365 days per year:

  • Shift one for the morning
  • Shift two for afternoon/evening
  • Shift three for evening/early morning hours
  • Shift four weekend work and time-off-coverage for shifts one, two, and three

Thus, it would take a minimum of four resources to cover one seat in a 24x7 security operation. And these additional resources would need a range of expertise or specialization in different types of security issues.

Recruiting
Due to high turnover rate in the IT field, organizations also need to consider the cost of recruiting. Whether internal HR staff or external recruiters are used, the cost of recruiting may average 20 to 30 percent of total annual compensation costs of the position being recruited.

Training and education
Ongoing training and education of security professionals is essential to honing skills and, more importantly, keeping staff current in an ever-changing, fast-paced technology environment. Ongoing education must encompass the latest security tools and technologies, threat techniques, and protection strategies. Costs in this area may include:

  • Product or technology training
  • Training in general security awareness
  • Certification preparation classes Certification costs
  • Attendance at major security conferences or shows
  • Books, magazines, subscriptions, journals, or e-learning courses to keep security professionals abreast of the latest technologies, tips, techniques, threats, and safeguards in the industry

It is typical for organizations to provide guidelines on the amount of training employees receive each year. A minimum of two weeks is frequently provided, but more is often necessary. Most security courses are one week in duration; therefore, each employee would be eligible to attend two security courses per year. Since the cost of courses may range from $1,500 to $3,000, a typical cost per headcount for training would be $5,000 a year.

Facilities

Security Operations Center
The cost of building and staffing for 24x7 security operations can be extremely high. It is cost-prohibitive for most organizations to build or lease a security operations center (SOC), as building or leasing space in a network/security operation center can exceed $100 million in capital expenditure. If existing space is already established or available for security management and monitoring, the build-out cost for a reasonably sized security operation center, perhaps 30 seats, will be upwards of $1 million. The costs can be extreme for many organizations once required equipment, fire suppression systems for high-availability, redundant operations and other features are combined.

Setting a Scenario

Example: In-house versus outsourced managed security costs
When considering the expenses and cost associated with in-house versus outsourced security management over a two-year program for a mid-sized company, the benefits and cost savings of a multi-year managed service contract should be considered in totality. In some cases, the first year's savings may be considerably higher when compared to subsequent years, as security requirements evolve and change.

Company Profile Sand Pharmaceuticals is a pioneer and world leader in discovering new treatments for debilitating diseases and medical conditions. The company employees 3,000 personnel and has an IT staff of 40, with five dedicated to managing information security. Sand Pharmaceuticals has implemented firewalls and is now deploying intrusion detection system (IDS) technology. For maximum protection of the company, its security staff has deployed three firewalls and also needs network-based IDS for six network segments, and host-based IDS 24X7 on 10 critical servers in the enterprise.

Year 1 In-house
8AM to 5PM
(5 staff)
In-house
24X7 operations
(15 staff)
Outsourced
MSS Solution
RESOURCES
Salaries (1) $501,000 $1,503,000 N/A
Training (2) $25,000 $75,000 N/A
Recruiting (3) $37,575 $288,075 N/A
EQUIPMENT
Software (4) $81,875 $81,875 $81,875
Maintenance (5) $12,281 $12,281 $12,281
Implementation
and Setup (6)
Cost varies Cost varies $23,960
Management N/A N/A $348,000
Total $657,731
+ set up
$1,960,231
+ setup
$466,116

Year 2 In-house
8AM to 5PM
(5 staff)
In-house
24X7 operations
(15 staff)
Outsourced
MSS Solution
RESOURCES
Salaries (7) $546,090 $1,638,270 N/A
Training $25,000 $75,000 N/A
Recruiting (8) $40,957 $112,870 N/A
EQUIPMENT
Maintenance (5) $12,281 $12,281 $12,281
Management N/A N/A $348,000
Total $624,328 $1,838,421 $360,281

(1) Based on InformationWeek Salary Advisor. Mean high total compensation (including salary, stock options, and bonuses) of typical security professional in Houston, Texas. Salaries of typical security professionals in Houston, Texas. Salaries include four staff ($88,375) and one manager ($147,500).
(2) Training cost estimated at $5,000 per employee based on two classes per year at industry standard prices for security training courses.
(3) This scenario assumes the company already has the five daytime positions on staff. It also assumes a conservative 30 percent annual turnover rate for security personnel. To plus up for 24X7 in-house operations, first-year recruiting costs are high because, in addition to the 30 percent turnover of the original five positions, 10 new positions are necessary. Recruiting cost is based on 25 percent cost of total annual compensation for in-house security professionals.
(4) Software cost based on three unlimited user licenses for Symantec Enterprise Firewall/VPN. Symantec NetProwler IDS licenses for six network segments, and Symantec Intruder Alert host IDS licenses for 10 servers.
(5) Maintenance cost based on 15 percent of software license cost.
(6) Setup cost includes implementation and setup services for remote management and ongoing maintenance for software. Without MSSP, implementation services are costlier and company must provide ongoing software maintenance (upgrades, patches, etc.) with internal resources.
(7) Salary increases based on average high 9 percent increase over previous year.
(8) This scenario assumes a conservative 30 percent annual turnover rate for all security personnel. Recruiting cost is based on 25 percent cost of total annual compensation for in-house security professionals.

Assuming the company keeps its five daytime IT security staff for mission-essential in-house security support, first-year savings for outsourcing 24x7 security operations is approximately $836,384. Second-year savings for outsourcing 24x7 security operations is about $853,812.

Coming to a Conclusion

Making the decision on whether to staff in-house for security services or hire a managed security services provider is a decision best made with much research and budgetary scrutiny with scenarios ranging over a number of years, focusing on maintaining a strong security posture while enabling revenue-generating e-business functions. In the end, many say the price of performing this business audit and possibly adding managed security services is small when compared with the cost of losing customer confidence due to security breaks.

This concludes Part 2 of a 3-part article.

Part 1 noted the benefits of outsourcing security.

Part 2 evaluates the cost of such an outsourcing.

Part 3 will provide guidelines for selecting a security services provider.

About the Author

Jim McLendon, Vice President of Symantec Security Services Global Business Development, has more than 40 years experience in information security and information operations. McLendon joined AXENT, and subsequently Symantec through acquisition, after a distinguished career with the United States Air Force. As a retired colonel, he has a wealth of expertise and command experience in special operations, intelligence, and electronic warfare and information warfare. He has managed large, diverse and geographically separated organizations, with leadership responsibilities for more than 2,100 highly technical personnel. Much of his career was spent in locations such as Taiwan, Vietnam, the United Kingdom, and Germany.

McLendon is a graduate of both the Air Force's Air War College and Air Command and Staff College. He earned his Masters of Science degree in Human Resources Management from Troy State University and his Bachelor of Arts degree in Management from the University of Maryland.

He can be reached at Jmclendon@symantec.com or for more information on Symantic Security Systems, go to www.symantec.com.

 
comments powered by Disqus