Introduction
Remember the carefree days of summer? The memories aren't so positive for many corporations hit by cyber attacks during the summer of 2001. Three especially menacing threats-CodeRed, CodeRed II, and Nimda-cost U.S. corporations more than 12.3 billion dollars. After the fall-out, one company reported it had over 60 software engineers working for a week to recover from Nimda, and it still had work to do.
For many organizations, these recent network security breeches, as well as cyber terrorism discussions in the wake of the September terrorist attacks, have served as a wake-up call regarding the need for information security. Without effective security, companies risk losing money and customer trust. With good security, companies have the power to maintain stakeholder value, customer loyalty, and competitive advantage.
The Internet and the big "E's": e-business, e-commerce, and e-retailing, contribute to today's necessity for a protected company network. Big-even small-holes can lead to formidable problems. Consequently, a bullet-proof security program is critical to an enterprise's survival. Whether this effective security management comes from an in-house or outsourced program is a decision that must be made within a corporation using only its best data.
As
the first of a three-part series on managed security services, the following
describes why many organizations are choosing to outsource management and monitoring
of security systems.
This
is Part 1 of a 3-part article.
Part 1 notes the benefits of outsourcing security.
Part 2 will evaluate the cost of such an outsourcing.
Part 3 will provide guidelines for selecting a security services provider
Open for Business
E-commerce and e-business initiatives inspire companies to move toward an open, distributed network-computing environment. These environments are designed to enable employees, customers, partners, suppliers, and distributors to exchange and access information critical to conducting business. Unfortunately, these same networked environments create vulnerabilities that allow disgruntled workers, hackers, and other types of attackers-both internal and external-to wreak havoc on corporate systems through malicious acts of fraud and vandalism.
With customers and business partners dependent on accessing critical product and service data via open networks such as the Internet, companies must ensure the integrity of this information or risk jeopardizing their reputation and brand equity. The need to protect the bottom line, as well as corporate image and customer trust, drives the demand to effectively manage information security.
Other situations challenge today's networked businesses:
- Rise
in deliberate criminal behavior directed at corporations
Following the September 11 terrorist attacks, government attention has increased
focus on legislation calling for stricter punishments for hackers. Even with
this focus, recent studies find the rate of cyber attacks to be on the rise.
Research also reveals that some industries are more often victimized than
others. Specifically, the high-tech, financial services, media, and energy
sectors experience the most frequent attacks.
- Growing
mobile workforce
An increasingly mobile workforce, telecommuting, and remote computing create
special security problems for companies. Enterprises are driven not only by
the desire to protect their information and physical assets, but also by the
need to ensure worker productivity. There is an increasing acceptance of worker
mobility and remote computing, but traditional corporate LANs and WANs are
insufficient to support this growing off-site work force. As remote access
to corporate networks increases, so does the need to protect transmission
of information to these remote points.
Surrounded by Obstacles
While security has never been so critical to the profitability of an enterprise, businesses face a number of barriers to achieving and maintaining in-house security programs.
- Shortage
of qualified security professionals
IT personnel are short in supply. According to The Meta Group, businesses
face a deficit of over 1 million IT professionals in the matter of a few years.
Experienced information security professionals are even harder to find, expensive
to hire, and difficult to retain due to extremely strong market demand. This
contributes to a high attrition rate among security workers that can reduce
a company's ability to effectively safeguard its valuable information assets.
- Insufficient
resources and infrastructure to support 24x7 security
To provide around-the-clock security coverage, requirements are many: manpower
and supporting hardware, as well as software and equipment to build, upgrade,
maintain, operate, and control the systems. Companies often find these security
necessities don't fit with limited corporate resources sanctioned to support
the organization's primary business requirements.
- Rising
complexity of security technology
Security for today's networks and information systems is more complex than
a few years ago. The methods and technologies used by hackers grows more sophisticated
each month. Particularly threatening are the devastating payloads of blended
threats. After being planted, blended threats simultaneously search out a
variety of vulnerabilities. Unlike a hacker who targets a specific application
or entity, blended threats currently carry as many as four different ways
of propagating themselves. Experts warn future blended threats may contain
as many as 15 or 20 propagation methods.
- Lack
of time to dedicate to security issues
Keeping pace with the latest protection strategies demands extensive time
and training. For in-house professionals, tracking new cyber threats, vulnerabilities,
hacker techniques, and security developments removes them from other mission-critical
activities that provide higher return on investment.
Numerous organizations currently managing security in-house are looking for alternatives to overcome these obstacles. They want a way to maintain a strong security posture while focusing on core, revenue-generating e-business functions.
Outside the Box
For a growing number of organizations-large to small-outsourcing security tasks offers improved information protection by a seasoned team of experts in a cost-effective manner. According to a June 2000 survey by Hurwitz Group, as many as a quarter of companies with more than $10 billion in annual sales are using or considering handing over some of their security, such as firewalls, anti-virus software, virtual private networks, or intrusion detection, to a managed security service provider.
Analyst firm Gartner Dataquest states managed security services, defined as outsourced management and monitoring of security systems, is the fastest growing segment of the information security services market. "Managed Security Services Providers (MSSPs) use high-availability security operation centers (either from their own facilities or from data center providers) to support 24X7 services designed to reduce the number of operational security personnel an enterprise must hire, train, and retain to maintain an acceptable security posture."
For organizations facing the challenges of orchestrating in-house security, outsourced security represents a more effective alternative. Among other benefits, managed security offers the following:
- Maintenance
of positive company reputation
By protecting critical assets from damage, theft and misuse, managed security
services help organizations avoid negative publicity and reduce network downtime
that can lead to diminished revenues and customer dissatisfaction.
- Freedom
to focus on company growth
At the strategic level, managed security services can free organizations to
focus their IT resources on strategic initiatives more central to core business
priorities.
- Improved
information protection
With the growing complexity and importance of today's networks and information
systems, managed security services offer the concentration and components
needed to provide a complete, impenetrable security management program.
The
following table details comparisons between in-house and outsourced security.
|
Traditional
Security Software License |
Managed
Security Services Provider |
| Entry
cost |
High |
Low |
| Installation
and implementation |
Requires
in-house resources |
MSSP
handles implementation |
| Time
to value |
Long |
Short |
| Skilled
resources |
Company
must hire, train and retain talent |
MSSP
provides skilled resources |
| Security
risk |
Company
must assume all risks |
MSSP
shares operation risks |
| Efficiency
and effectiveness |
Limited
scalability prohibits efficiency and effectiveness |
Greater
efficiencies via MSSP's scalability |
| Security
posture |
Dependent
on skill, processes, and expertise of internal staff |
Improved
by diligence, guaranteed response times, security vulnerability research,
and cumulative expertise of MSS team |
| Response |
Dependent
on skill, processes, and expertise of staff |
24x7
protection, critical alert notification and appropriate levels of response
based on event severity |
A good managed security services provider can offer companies several advantages, including:
- Use
of cumulative knowledge and experience of dedicated security experts
The expertise of the MSSPs' security analysts and engineers who manage and
monitor security devices on a full-time basis is a valuable resource. These
analysts research and respond to security incidents and attacks every day.
This means they are considerably more aware of potential threats and more
knowledgeable about how to thwart attacks than a company's in-house staff.
- Shared
responsibility with trusted security partner
MSSPs offer service-level agreements that provide the contractual obligation
to deliver services in a particular manner within a certain response time.
In addition, MSSPs provide security expertise with considerable experience
with intrusion detection and incident response practices.
- Reliable
24x7 security management
A good number of companies turn to MSSPs for outsourced security monitoring
and incident response-tasks that require constant vigilance. MSSPs provide
an "always-on" business environment, guarding their clients' networks and
insfrastructures to ensure protection during the very hours most hackers will
attack.
- Maximization
of existing security products
A good managed security services provider ensures that purchased solutions
are installed, implemented, and integrated to provide the on-going value a
company needs and expects.
- A cost-effective
approach to security management
By using MSSPs to provide protection for critical information assets, companies
can avoid extensive personnel costs associated with hiring, training, and
retaining security professionals. Managed security services reduce total cost
of ownership by allowing transfer of personnel costs to a variable expense.
Because managed services are billed on a monthly basis, it also allows a company
to better predict and mange its security-related budget.
This
concludes Part 1 of a 3-part article.
Part
1 notes the benefits of outsourcing.
Part
2 will evaluate the cost of outsourcing.
Part
3 will provide guidelines for selecting a security services provider.
About
the Author
Jim
McLendon, Vice President of Symantec Security Services Global Business
Development, has more than 40 years experience in information security and information
operations. McLendon joined AXENT, and subsequently Symantec through acquisition,
after a distinguished career with the United States Air Force. As a retired
colonel, he has a wealth of expertise and command experience in special operations,
intelligence, and electronic warfare and information warfare. He has managed
large, diverse and geographically separated organizations, with leadership responsibilities
for more than 2,100 highly technical personnel. Much of his career was spent
in locations such as Taiwan, Vietnam, the United Kingdom, and Germany.
McLendon is a graduate of both the Air Force's Air War College and Air Command and Staff College. He earned his Masters of Science degree in Human Resources Management from Troy State University and his Bachelor of Arts degree in Management from the University of Maryland.
He
can be reached at Jmclendon@symantec.com
or for more information on Symantic Security Systems, go to www.symantec.com.
Thinking of Outsourcing Your Entire Recruitment Process? Here's What You Need to Know | SAP SCM—Stepping Out of Obscurity | Emptoris: Powered Up to Empower Global 2000 Users | Demystifying SAP Solution Manager | Cloud Assets: A Guide for SMBs—Part 3 | I Want My Private Cloud | The Sum of All Malware Fears: Siemens on Stuxnet | Outsourcing in Latin America | Managing the Overflow of E-mails | Distinctions and Benefits of Strategic Sourcing | Should North Americans Send More Software Development Work to China? | Global Product Development Seen as a Boon for Product Lifecycle Management Vendors | A Semi–open Source Vendor Discusses Market Trends | Human Resources for Small to Medium Businesses | Security Risk Assessment and Management in Web Application Security |
Are You Adequately Protecting Your IT Infrastructure Components Inside the Firewall? | The Challenges that Remain for One Aspiring Global Sourcing Vendor | Zooming into the Clothing Retailer Conundrum | No One Said Sourcing Overseas Would Be Easy | The Anatomy of Retail Sourcing Processes | The Promise (and Complexities) of Private Labels | The Blessing and Curse of Global Sourcing and Supplier Management | Off-shoring: Are You Getting Your Money's Worth? | Technology's Role in Strategic Human Resources | Outsourcing Supply Chain Planning Processes | Enterprise Resource Planning Giants Eye the Shop Floor | Enterprise Software Product Outsourcing: A Fresh Perspective for Mid-market Vendors | Selecting an Outsourcing Provider—Art or Science? | Offshore Outsourcing: Is There a Method to the Madness? Planning for Offshore Outsourcing | Remote Implementations--Why They Can Make $ense | Consumers Shop Everywhere: Understanding Multichannel Sales | Who Else is Using Your Wireless Network? | Information Security Firewalls Market Report
Part Two: Current Market Trends and User Recommendations | Information Security Firewalls Market Report
Part One: Market Overview and Technology Background | Where Has All the Service Gone? | Automated Enterprise: Many High-ROI Opportunities | Secure Transfers of Large Files Over the Internet Using YouSendIt | What's Your Global Market Price? | The Many Flavors of Application Software Outsourcing | Fed Warms Up to ERP Spending, but Will Contractors and Their ERP Vendors Comply?
Part Two: Challenges and User Recommendations | Feds Warms Up to ERP Spending, but Will Contractors and Their ERP Vendors Comply?
Part One: Event Summary and Market Impact | International Trade Logistics Challenge Automated Global E-Trading | Product Review: GFI's LANguard Network Security Scanner | The Best ACT! Is Still to Come | HIPAA-Watch for Security Speeds Up Compliance
Part Two: Phase III and IV, and Product and User Recommendations | HIPAA-Watch for Security Speeds Up Compliance
Part One: Vendor and Product Information | PLM Coming of Age: ERP Vendors Take Notice | Leveraging Technology to Maintain a Competitive Edge During Tough Economic Times -- A Panel Discussion Analyzed
Part Three: Applications Hosting | Resilient Supply Chains: The Next Frontier | Understanding the True Cost of Sourcing | EAM Versus CMMS: What's Right for Your Company? Part One | Supply Chain Portfolio 2004 | Outsourcing 101 - A Primer
Part Three: Approaches and Recommendations | Outsourcing 101 - A Primer
Part Two: Outsourcing Categories | Outsourcing 101 - A Primer | Using PKI to Protect Your Business Information | The Strategic Importance of Asset Management
Part One: Changing Attitudes | The CyberAngel: Laptop Recovery and File Encryption All-in-One | Evaluating Enterprise Software-Business Process or Feature/Function-Based Approach? All the above, Perhaps?
Part Three: Knowledge Bases and User Recommendations | Supply Chain Decisions - Make Sure You Understand the Dollars and Sense | InsideOut Firewall Reporter Unravels the Mysteries of Your Firewall Logs | Inventory Planning & Optimization:
Extending Your ERP System
Part Two: How It Works | The Future of Secure Remote Password (SRP)
Part Two: Overcoming Obstacles to Success | The Future of Secure Remote Password (SRP) | Product Life Cycle Management (PLM) in ProcessPart 3: Process PLM Requirements | Integrated Security: A New Network Approach
Part Two: The Shift Toward Integration | Integrated Security: A New Network Approach | Vendor Analysis: Kaspersky Anti-Virus Products Examined | 6 Immediate Business Improvements Offered by an Online SRM System:
Part 3: Other Points to Consider | Agilisys Continues Agilely Post-SCT
Part 2: Market Impact | Legacy Single Sign-On: Novell, Evidian, IBM, PassGo, or Computer Associates? | Fourth Shift's evolution Within SoftBrands' DemandStream | OKENA Brews Up a StormSystem that Secures All Applications | Incident Handling and Response Capability: An IT Security Safeguard
Part 2: Establishing the Capability | Incident Handling and Response Capability: An IT Security Safeguard
Part 1: Are You Ready to Support an Incident Response Capability? | Outsourcing Security
Part 3: Selecting a Managed Security Services Provider | Outsourcing Security
Part 2: Measuring the Cost | Vendor Review: SecureWave Protects Microsoft Operating System Platforms | IPSec VPNs for Extranets: Not what you want to wake up next to | Thanks to a Smart Little Company called Lexias, CIOs Can Now Empower their Users to Assist in eBusiness Security | Feds Buckle Down on Customer Information Security | Identix Leads Biometric Authentication | Bootcamp for the Pros; Why Ernst & Young Will Lead Security Auditing Standards | Vendor Analysis: Interliant's Security Vulnerability Assessment | OKENA Pioneers Next-Generation Intrusion Prevention | Social Engineering Can Thwart the Best Laid Security Plans | Application Single-Sign On: Netegrity, Securant, or Evidian? | Lost Your Laptop? The CyberAngel® Brings It Back | InsideOut Makes Firewall Reporting Useful | Are ASP Applications Right for You? Part 2: Decision Criteria | Are ASP Applications Right for You?
Part 1: Decision Factors | The SOAP Opera Progresses - Helping XML to Rule the World | SAPped Catalyst Warns in Wake of CEO Departure | New Dimensions in EC and SCM Part 4: Using E-Procurement to Leverage Volume | SCT Corporation: The Last Viable Process Manufacturing Vendor Standing? | Talarian and NextSet Team for B2B Solutions | So You Want to Outsource Your Messaging? | Tempest Creates a Secure Teapot | E*Trade Ignores Private Security Warning, But Public Hullaballoo Gets Response | My Network Engineers are Talking about Implementing Split DNS. What Does that Mean? | Human-Machine Interaction Company Ramps Up Firewall Product Line | Security Information Market Heading for Growth | Alibris Charged with Intercepting Email | Cart32 in Need of Duct Tape | Deutsche Telekom to Acquire VoiceStream Wireless | Study Shows: FBI Alienates Industry Security Experts | Firewall Cowboyz Set the Stage to Free Innocent Convict | Symantec Swallows AXENT; Takes on Network Associates | Novatel Wireless and Diversinet Team Up to Provide Security for Wireless Modems | Windows 2000 Bug Fixes Posted | Baltimore Technologies Doubles Revenues, Offers World-Class PKI Hosting | The Whys and Hows of a Security Vulnerability Assessment | Earthlink Leads the Way in DSL Security | PKI and Biometrics Ready for Take-Off | Secure Transport of EDI and XML for Trading Exchanges | Can You Trust Entrust? | Standard & Poor's Announces Security Certification | Agilera: Making E-Business Agile | Intel Outside? | Check Point Leads Firewall Market | Fighting Cybercrime on the Internet | NetWare for Small Business – NetWhy? | Let Your Hard Drives Tell You Where they Are! | E&Y Spins-Off eSecurity Online and Unveils Security Vulnerability Assessment Services | With Record Revenues, AXENT Puts Down a Solid Fist | NAI Will Pay Trend $12.5 Million Resulting from Law Suit | Sub7 Tells Chat Rooms All Your Stuff; F-Secure Leads the Battle | E-Cash Rollout Replaces Amex | GSA Schedule Partnership Gets Network-1 in the Door | United Messaging Extends Global Reach ~ Opens Offices in London and Amsterdam | Los Alamos Loses Top-Secret Information, Again! | Standard & Poor's Exposes Customers' Security | The AS/400 Takes You Securely Where You Want to Go | Trend Micro Steps into PDA/Wireless AntiVirus Information Market | CryptoSwift Takes Rainbow Revenues Up 620% | Smart Shoppers Go Abroad for Affordable Information Security Programs | Anti-Virus Advisories: Rating Them | The 7 Habits of Highly Effective Security | Fischer’s Prio! SecureSync ~ A Solution to Enterprise Directory Chaos | E&Y+ASP=BSP: It’s Not Algebra, But It Adds Up To Something Big | Abandon All Insecurity, Ye Who Enter Here | Top 10 Excuses For Not Securing Your Website or Network | Ernst & Young Leads Big 5 in Security | 6 Days After Advisory Posted, AboveNet Gets Hit | A Firewall is Cheaper Than a Lawyer | Fixing Security Backdoors:
Red Hat 1, Microsoft 0 | WAP Forum Specifies RSA’s RC5 Encryption For Wireless | Netpliance Responds Quickly to Hardware Hack | USi to Offer Managed Messaging for U.S. Feds | MCI WorldCom and Critical Path Power into Outsourced Messaging | Security Stocks Burn Rubber | DSL Provider Scoops up Netscreen Firewall Goldmine | Cyclone Untangles Digital Partnerships | Security Begins on Your Desktop | Network Associates Hopes to Rekindle the Flame | Hacker Publication Gets Top Defense Attorney | PSINet and HP ~ OpenMail as an Outsourced Global Messaging | Saudi Arabian Network Security Provokes Local Considerations | United Messaging ~ Ready…Set…Outsource! | Gosh, There’s a Bug in Windows 98 | Robust Systems are Built from the Bottom Up | DOJ Keeps Low Profile on Curador; Protect Your IIS Server Today! | Security Breach: Now What? | Concur's Customers Can Network Now | Rentable Procurement | Total Uptime Guarantees? It Must Be A New Millennium! | Analysis of Critical Path's Alliance with yesmail.com for Permission Email | Sendmail, Inc. and Disappearing, Inc. Team Up to Add Enhanced Security | Is Your Financial Transaction Secure? | Compaq, HP, IBM, Intel and Microsoft Create New PC Security Alliance | Expect Boom in Electronic Signatures | Secure Your Search Engine | President Proposes Security of Medical Records | Sendmail Takes Security to the Next Level with Version 3.0 for NT | CheckPoint & Nokia Team Up to Unleash a Rockin' Security Appliance | Trend Micro Anti-Virus Server for Microsoft Exchange ~ A Secure Choice For Enterprise Wide Anti Virus Protection. | Security Snafu at NetBank | Freeware Vendor's Web Tracking Draws Curses | The "S" in SAP Doesn't Stand for Security (that goes for PeopleSoft too) | Content Technologies releases MIMEsweeper PolicyPlus | Hackers Will Be Out in Full Force On New Year's Eve | Analysis of Virgin Net's Hacker Scare | Network Associates RePositions Itself as a Security E-Village | Lexiguard™: The Coming "Adobe Acrobat" of Encryption | CyberPeepers from Korean Sites Peek at U.S. Networks | Would You Hire a Hacker? What Would Your Mother Say? | @Home Scans Own Customers | CIOs Need to Be Held Accountable for Security | New Market for Security Insurance | At Least Your Boss Can't Read Your Home E-mail, Right? Wrong! | PrettyPark Virus Litters Cyberspace | Packard Bell / NEC Leads Secure Etoken Deployment | Congress Acknowledges Outdated Banking Laws | How Secure is Your E-Mail? | Trend Virus Control System - A Centralized Approach to Protection | VPNs Are Hot, but What Are They? | ATM Machines Hacked in Moscow | How To Mitigate Holiday Cybercrime | Surf's Up at Akamai |