Introduction
For organizations of all sizes, outsourcing security is becoming an increasingly attractive method for maintaining a strong security posture. In fact, outsourced security is the fastest growing segment of the information security services market, according to a recent Gartner Dataquest study.
Often, the decision to outsource security is based on cost: Can the company effectively outsource or co-source security management functions while still realizing a good return on investment?
The following is part two of a three-part series on outsourced security. This article helps organizations calculate the cost for managing security and provides a real-life scenario of cost comparisons to help organizations build a foundation for a financial analysis when considering a managed security services provider (MSSP).
This
is Part 2 of a 3-part article.
Part
1 noted the benefits of outsourcing security.
Part
2 evaluates the cost of such an outsourcing.
Part
3 will provide guidelines for selecting a security services provider.
Bolstering Budgets
Along with a rise in cyber attacks, experts say the outsourced services market is growing as a result of the September 11 terrorist attacks. The tragic events have caused a marked increase in government spending, much of which will be directed to consultants and outside managed security service providers.
Gartner estimates that as much as 40 percent of all external IT spending went to services in 2000-as opposed to purchases of hardware or software-and IT services will account for 45 percent of all end-user spending by 2004. In dollar figures, Gartner says worldwide spending is valued at $363 billion today, and should reach $569 billion by 2004.
Calculating Costs
Evaluating the cost of outsourcing can be challenging because most organizations cannot fully estimate the financial impact of such a decision. In fact, a recent InfoWorld outsourcing study of 100 technology professionals said that 61 percent of organizations did not know how much money their company would save in the next 12 months by outsourcing IT functions. This is true for most organizations considering outsourcing security services.
When a company considers outsourcing managed security services, it must estimate several variables over the duration of the managed security services contract:
- All
relevant capital and operating costs
- Costs
of supervising the managed security services provider
- The
"cost of money" and interest costs
- Residual
value of equipment and facilities
- Cost
of transition, including personnel
- Cost
of changes in direction and level of resources
- Cost
of contract modifications
In
addition, the range of services an MSSP provides can vary. Some MSSPs will only
manage certain security products and technologies and require a specific brand
of security technology be purchased or swapped-out for an organizations' existing
technology. Other MSSPs require additional purchases of specialized or proprietary
technology for log file and event stream collection, analysis, and filtering.
To effectively compute the total cost of ownership of in-house security management, a wide range of costs must be considered over a number of years. A company must identify and evaluate both overt and hidden costs. The following sections list many of the costs of a security management program.
Equipment
Hardware
and software costs
For in-house security management, companies must determine the cost of all hardware
and software necessary for security management and operations. This includes
servers, PCs, and peripheral equipment, as well as all associated operating
systems, database, application, and security software. Additional hardware and
software required to support the security operations include system and network
management tools, help desk systems, integrated management consoles and knowledge-based
management systems and software.
License
costs
The cost of all software licenses, including patches, incremental updates, and
new versions of the software should be calculated over the expected software
lifecycle.
Maintenance
Maintenance fees for software and equipment must be factored into the total
cost of ownership. Software maintenance is typically 15 to 25 percent of the
list price of the software annually. An organization with $1 million in software
licenses will pay $150,000 in maintenance costs (on the low end) each year.
Companies should be aware of the level of support they receive for that cost.
Some managed security services contracts provide 8 or 10 hours of coverage and
support, while others deliver 24x7 support.
Personnel
Staffing for information security professionals is perhaps the most crucial,
most difficult, and most costly component of an effective security management
program. The top market challenge is hiring and retaining a skilled base of
security professionals. The cost of staffing includes not just the cost of salaries,
but also additional compensation (bonuses, stock incentives, etc.), space, and
equipment costs, and the cost of ongoing education and training. The salaries
of security administrators and officers vary depending on geography and level
of skill and expertise. According to a recent survey by InformantionWeekresearch.com,
average compensation for staff level (not management) information security professionals
in the Dallas area is:
| High |
Average |
Low |
| $88,375 |
$71,750 |
$64,000 |
If
a company has a typical 8 a.m. to 5 p.m. operations day, but plans to expand
to 24x7 security operations, then it must consider staffing multiple shifts
of workers to provide coverage 365 days per year:
- Shift
one for the morning
- Shift
two for afternoon/evening
- Shift
three for evening/early morning hours
- Shift
four weekend work and time-off-coverage for shifts one, two, and three
Thus, it would take a minimum of four resources to cover one seat in a 24x7 security operation. And these additional resources would need a range of expertise or specialization in different types of security issues.
Recruiting
Due
to high turnover rate in the IT field, organizations also need to consider the
cost of recruiting. Whether internal HR staff or external recruiters are used,
the cost of recruiting may average 20 to 30 percent of total annual compensation
costs of the position being recruited.
Training
and education
Ongoing training and education of security professionals is essential to honing
skills and, more importantly, keeping staff current in an ever-changing, fast-paced
technology environment. Ongoing education must encompass the latest security
tools and technologies, threat techniques, and protection strategies. Costs
in this area may include:
- Product
or technology training
- Training
in general security awareness
- Certification
preparation classes Certification costs
- Attendance
at major security conferences or shows
- Books,
magazines, subscriptions, journals, or e-learning courses to keep security
professionals abreast of the latest technologies, tips, techniques, threats,
and safeguards in the industry
It is typical for organizations to provide guidelines on the amount of training employees receive each year. A minimum of two weeks is frequently provided, but more is often necessary. Most security courses are one week in duration; therefore, each employee would be eligible to attend two security courses per year. Since the cost of courses may range from $1,500 to $3,000, a typical cost per headcount for training would be $5,000 a year.
Facilities
Security
Operations Center
The cost of building and staffing for 24x7 security operations can be extremely
high. It is cost-prohibitive for most organizations to build or lease a security
operations center (SOC), as building or leasing space in a network/security
operation center can exceed $100 million in capital expenditure. If existing
space is already established or available for security management and monitoring,
the build-out cost for a reasonably sized security operation center, perhaps
30 seats, will be upwards of $1 million. The costs can be extreme for many organizations
once required equipment, fire suppression systems for high-availability, redundant
operations and other features are combined.
Setting a Scenario
Example:
In-house versus outsourced managed security costs
When considering the expenses and cost associated with in-house versus outsourced
security management over a two-year program for a mid-sized company, the benefits
and cost savings of a multi-year managed service contract should be considered
in totality. In some cases, the first year's savings may be considerably higher
when compared to subsequent years, as security requirements evolve and change.
Company
Profile Sand Pharmaceuticals is a pioneer and world leader in
discovering new treatments for debilitating diseases and medical conditions.
The company employees 3,000 personnel and has an IT staff of 40, with five dedicated
to managing information security. Sand Pharmaceuticals has implemented firewalls
and is now deploying intrusion detection system (IDS) technology. For maximum
protection of the company, its security staff has deployed three firewalls and
also needs network-based IDS for six network segments, and host-based IDS 24X7
on 10 critical servers in the enterprise.
| Year
1 |
In-house
8AM to 5PM
(5 staff) |
In-house
24X7 operations
(15 staff) |
Outsourced
MSS Solution |
| RESOURCES |
| Salaries
(1) |
$501,000 |
$1,503,000 |
N/A |
| Training
(2) |
$25,000 |
$75,000 |
N/A |
| Recruiting
(3) |
$37,575 |
$288,075 |
N/A |
| EQUIPMENT |
| Software
(4) |
$81,875 |
$81,875 |
$81,875 |
| Maintenance
(5) |
$12,281 |
$12,281 |
$12,281 |
Implementation
and Setup (6) |
Cost
varies |
Cost
varies |
$23,960 |
| Management |
N/A |
N/A |
$348,000 |
| Total |
$657,731
+ set up |
$1,960,231
+ setup |
$466,116 |
| Year
2 |
In-house
8AM to 5PM
(5 staff) |
In-house
24X7 operations
(15 staff) |
Outsourced
MSS Solution |
| RESOURCES |
| Salaries
(7) |
$546,090 |
$1,638,270 |
N/A |
| Training |
$25,000 |
$75,000 |
N/A |
| Recruiting
(8) |
$40,957 |
$112,870 |
N/A |
| EQUIPMENT |
| Maintenance
(5) |
$12,281 |
$12,281 |
$12,281 |
| Management |
N/A |
N/A |
$348,000 |
| Total |
$624,328 |
$1,838,421 |
$360,281 |
| (1) |
Based on InformationWeek Salary
Advisor. Mean high total compensation (including salary, stock options,
and bonuses) of typical security professional in Houston, Texas. Salaries
of typical security professionals in Houston, Texas. Salaries include four
staff ($88,375) and one manager ($147,500). |
| (2) |
Training cost estimated at $5,000
per employee based on two classes per year at industry standard prices for
security training courses. |
| (3) |
This scenario assumes the company
already has the five daytime positions on staff. It also assumes a conservative
30 percent annual turnover rate for security personnel. To plus up for 24X7
in-house operations, first-year recruiting costs are high because, in addition
to the 30 percent turnover of the original five positions, 10 new positions
are necessary. Recruiting cost is based on 25 percent cost of total annual
compensation for in-house security professionals. |
| (4) |
Software cost based on three
unlimited user licenses for Symantec Enterprise Firewall/VPN. Symantec NetProwler
IDS licenses for six network segments, and Symantec Intruder Alert host
IDS licenses for 10 servers. |
| (5) |
Maintenance cost based on 15
percent of software license cost. |
| (6) |
Setup cost includes implementation
and setup services for remote management and ongoing maintenance for software.
Without MSSP, implementation services are costlier and company must provide
ongoing software maintenance (upgrades, patches, etc.) with internal resources. |
| (7) |
Salary increases based on average
high 9 percent increase over previous year. |
| (8) |
This scenario assumes a conservative
30 percent annual turnover rate for all security personnel. Recruiting cost
is based on 25 percent cost of total annual compensation for in-house security
professionals. |
Assuming
the company keeps its five daytime IT security staff for mission-essential in-house
security support, first-year savings for outsourcing 24x7 security operations
is approximately $836,384. Second-year savings for outsourcing 24x7 security
operations is about $853,812.
Coming to a Conclusion
Making the decision on whether to staff in-house for security services or hire a managed security services provider is a decision best made with much research and budgetary scrutiny with scenarios ranging over a number of years, focusing on maintaining a strong security posture while enabling revenue-generating e-business functions. In the end, many say the price of performing this business audit and possibly adding managed security services is small when compared with the cost of losing customer confidence due to security breaks.
This
concludes Part 2 of a 3-part article.
Part
1 noted the benefits of outsourcing security.
Part
2 evaluates the cost of such an outsourcing.
Part
3 will provide guidelines for selecting a security services provider.
About
the Author
Jim
McLendon, Vice President of Symantec Security Services Global Business
Development, has more than 40 years experience in information security and information
operations. McLendon joined AXENT, and subsequently Symantec through acquisition,
after a distinguished career with the United States Air Force. As a retired
colonel, he has a wealth of expertise and command experience in special operations,
intelligence, and electronic warfare and information warfare. He has managed
large, diverse and geographically separated organizations, with leadership responsibilities
for more than 2,100 highly technical personnel. Much of his career was spent
in locations such as Taiwan, Vietnam, the United Kingdom, and Germany.
McLendon
is a graduate of both the Air Force's Air War College and Air Command and Staff
College. He earned his Masters of Science degree in Human Resources Management
from Troy State University and his Bachelor of Arts degree in Management from
the University of Maryland.
He
can be reached at Jmclendon@symantec.com
or for more information on Symantic Security Systems, go to www.symantec.com.
Thinking of Outsourcing Your Entire Recruitment Process? Here's What You Need to Know | SAP SCM—Stepping Out of Obscurity | Emptoris: Powered Up to Empower Global 2000 Users | Demystifying SAP Solution Manager | Cloud Assets: A Guide for SMBs—Part 3 | I Want My Private Cloud | The Sum of All Malware Fears: Siemens on Stuxnet | Outsourcing in Latin America | Managing the Overflow of E-mails | Distinctions and Benefits of Strategic Sourcing | Should North Americans Send More Software Development Work to China? | Global Product Development Seen as a Boon for Product Lifecycle Management Vendors | A Semi–open Source Vendor Discusses Market Trends | Human Resources for Small to Medium Businesses | Security Risk Assessment and Management in Web Application Security |
Are You Adequately Protecting Your IT Infrastructure Components Inside the Firewall? | The Challenges that Remain for One Aspiring Global Sourcing Vendor | Zooming into the Clothing Retailer Conundrum | No One Said Sourcing Overseas Would Be Easy | The Anatomy of Retail Sourcing Processes | The Promise (and Complexities) of Private Labels | The Blessing and Curse of Global Sourcing and Supplier Management | Off-shoring: Are You Getting Your Money's Worth? | Technology's Role in Strategic Human Resources | Outsourcing Supply Chain Planning Processes | Enterprise Resource Planning Giants Eye the Shop Floor | Enterprise Software Product Outsourcing: A Fresh Perspective for Mid-market Vendors | Selecting an Outsourcing Provider—Art or Science? | Offshore Outsourcing: Is There a Method to the Madness? Planning for Offshore Outsourcing | Remote Implementations--Why They Can Make $ense | Consumers Shop Everywhere: Understanding Multichannel Sales | Who Else is Using Your Wireless Network? | Information Security Firewalls Market Report
Part Two: Current Market Trends and User Recommendations | Information Security Firewalls Market Report
Part One: Market Overview and Technology Background | Where Has All the Service Gone? | Automated Enterprise: Many High-ROI Opportunities | Secure Transfers of Large Files Over the Internet Using YouSendIt | What's Your Global Market Price? | The Many Flavors of Application Software Outsourcing | Fed Warms Up to ERP Spending, but Will Contractors and Their ERP Vendors Comply?
Part Two: Challenges and User Recommendations | Feds Warms Up to ERP Spending, but Will Contractors and Their ERP Vendors Comply?
Part One: Event Summary and Market Impact | International Trade Logistics Challenge Automated Global E-Trading | Product Review: GFI's LANguard Network Security Scanner | The Best ACT! Is Still to Come | HIPAA-Watch for Security Speeds Up Compliance
Part Two: Phase III and IV, and Product and User Recommendations | HIPAA-Watch for Security Speeds Up Compliance
Part One: Vendor and Product Information | PLM Coming of Age: ERP Vendors Take Notice | Leveraging Technology to Maintain a Competitive Edge During Tough Economic Times -- A Panel Discussion Analyzed
Part Three: Applications Hosting | Resilient Supply Chains: The Next Frontier | Understanding the True Cost of Sourcing | EAM Versus CMMS: What's Right for Your Company? Part One | Supply Chain Portfolio 2004 | Outsourcing 101 - A Primer
Part Three: Approaches and Recommendations | Outsourcing 101 - A Primer
Part Two: Outsourcing Categories | Outsourcing 101 - A Primer | Using PKI to Protect Your Business Information | The Strategic Importance of Asset Management
Part One: Changing Attitudes | The CyberAngel: Laptop Recovery and File Encryption All-in-One | Evaluating Enterprise Software-Business Process or Feature/Function-Based Approach? All the above, Perhaps?
Part Three: Knowledge Bases and User Recommendations | Supply Chain Decisions - Make Sure You Understand the Dollars and Sense | InsideOut Firewall Reporter Unravels the Mysteries of Your Firewall Logs | Inventory Planning & Optimization:
Extending Your ERP System
Part Two: How It Works | The Future of Secure Remote Password (SRP)
Part Two: Overcoming Obstacles to Success | The Future of Secure Remote Password (SRP) | Product Life Cycle Management (PLM) in ProcessPart 3: Process PLM Requirements | Integrated Security: A New Network Approach
Part Two: The Shift Toward Integration | Integrated Security: A New Network Approach | Vendor Analysis: Kaspersky Anti-Virus Products Examined | 6 Immediate Business Improvements Offered by an Online SRM System:
Part 3: Other Points to Consider | Agilisys Continues Agilely Post-SCT
Part 2: Market Impact | Legacy Single Sign-On: Novell, Evidian, IBM, PassGo, or Computer Associates? | Fourth Shift's evolution Within SoftBrands' DemandStream | OKENA Brews Up a StormSystem that Secures All Applications | Incident Handling and Response Capability: An IT Security Safeguard
Part 2: Establishing the Capability | Incident Handling and Response Capability: An IT Security Safeguard
Part 1: Are You Ready to Support an Incident Response Capability? | Outsourcing Security
Part 3: Selecting a Managed Security Services Provider | Outsourcing Security
Part 1: Noting the Benefits | Vendor Review: SecureWave Protects Microsoft Operating System Platforms | IPSec VPNs for Extranets: Not what you want to wake up next to | Thanks to a Smart Little Company called Lexias, CIOs Can Now Empower their Users to Assist in eBusiness Security | Feds Buckle Down on Customer Information Security | Identix Leads Biometric Authentication | Bootcamp for the Pros; Why Ernst & Young Will Lead Security Auditing Standards | Vendor Analysis: Interliant's Security Vulnerability Assessment | OKENA Pioneers Next-Generation Intrusion Prevention | Social Engineering Can Thwart the Best Laid Security Plans | Application Single-Sign On: Netegrity, Securant, or Evidian? | Lost Your Laptop? The CyberAngel® Brings It Back | InsideOut Makes Firewall Reporting Useful | Are ASP Applications Right for You? Part 2: Decision Criteria | Are ASP Applications Right for You?
Part 1: Decision Factors | The SOAP Opera Progresses - Helping XML to Rule the World | SAPped Catalyst Warns in Wake of CEO Departure | New Dimensions in EC and SCM Part 4: Using E-Procurement to Leverage Volume | SCT Corporation: The Last Viable Process Manufacturing Vendor Standing? | Talarian and NextSet Team for B2B Solutions | So You Want to Outsource Your Messaging? | Tempest Creates a Secure Teapot | E*Trade Ignores Private Security Warning, But Public Hullaballoo Gets Response | My Network Engineers are Talking about Implementing Split DNS. What Does that Mean? | Human-Machine Interaction Company Ramps Up Firewall Product Line | Security Information Market Heading for Growth | Alibris Charged with Intercepting Email | Cart32 in Need of Duct Tape | Deutsche Telekom to Acquire VoiceStream Wireless | Study Shows: FBI Alienates Industry Security Experts | Firewall Cowboyz Set the Stage to Free Innocent Convict | Symantec Swallows AXENT; Takes on Network Associates | Novatel Wireless and Diversinet Team Up to Provide Security for Wireless Modems | Windows 2000 Bug Fixes Posted | Baltimore Technologies Doubles Revenues, Offers World-Class PKI Hosting | The Whys and Hows of a Security Vulnerability Assessment | Earthlink Leads the Way in DSL Security | PKI and Biometrics Ready for Take-Off | Secure Transport of EDI and XML for Trading Exchanges | Can You Trust Entrust? | Standard & Poor's Announces Security Certification | Agilera: Making E-Business Agile | Intel Outside? | Check Point Leads Firewall Market | Fighting Cybercrime on the Internet | NetWare for Small Business – NetWhy? | Let Your Hard Drives Tell You Where they Are! | E&Y Spins-Off eSecurity Online and Unveils Security Vulnerability Assessment Services | With Record Revenues, AXENT Puts Down a Solid Fist | NAI Will Pay Trend $12.5 Million Resulting from Law Suit | Sub7 Tells Chat Rooms All Your Stuff; F-Secure Leads the Battle | E-Cash Rollout Replaces Amex | GSA Schedule Partnership Gets Network-1 in the Door | United Messaging Extends Global Reach ~ Opens Offices in London and Amsterdam | Los Alamos Loses Top-Secret Information, Again! | Standard & Poor's Exposes Customers' Security | The AS/400 Takes You Securely Where You Want to Go | Trend Micro Steps into PDA/Wireless AntiVirus Information Market | CryptoSwift Takes Rainbow Revenues Up 620% | Smart Shoppers Go Abroad for Affordable Information Security Programs | Anti-Virus Advisories: Rating Them | The 7 Habits of Highly Effective Security | Fischer’s Prio! SecureSync ~ A Solution to Enterprise Directory Chaos | E&Y+ASP=BSP: It’s Not Algebra, But It Adds Up To Something Big | Abandon All Insecurity, Ye Who Enter Here | Top 10 Excuses For Not Securing Your Website or Network | Ernst & Young Leads Big 5 in Security | 6 Days After Advisory Posted, AboveNet Gets Hit | A Firewall is Cheaper Than a Lawyer | Fixing Security Backdoors:
Red Hat 1, Microsoft 0 | WAP Forum Specifies RSA’s RC5 Encryption For Wireless | Netpliance Responds Quickly to Hardware Hack | USi to Offer Managed Messaging for U.S. Feds | MCI WorldCom and Critical Path Power into Outsourced Messaging | Security Stocks Burn Rubber | DSL Provider Scoops up Netscreen Firewall Goldmine | Cyclone Untangles Digital Partnerships | Security Begins on Your Desktop | Network Associates Hopes to Rekindle the Flame | Hacker Publication Gets Top Defense Attorney | PSINet and HP ~ OpenMail as an Outsourced Global Messaging | Saudi Arabian Network Security Provokes Local Considerations | United Messaging ~ Ready…Set…Outsource! | Gosh, There’s a Bug in Windows 98 | Robust Systems are Built from the Bottom Up | DOJ Keeps Low Profile on Curador; Protect Your IIS Server Today! | Security Breach: Now What? | Concur's Customers Can Network Now | Rentable Procurement | Total Uptime Guarantees? It Must Be A New Millennium! | Analysis of Critical Path's Alliance with yesmail.com for Permission Email | Sendmail, Inc. and Disappearing, Inc. Team Up to Add Enhanced Security | Is Your Financial Transaction Secure? | Compaq, HP, IBM, Intel and Microsoft Create New PC Security Alliance | Expect Boom in Electronic Signatures | Secure Your Search Engine | President Proposes Security of Medical Records | Sendmail Takes Security to the Next Level with Version 3.0 for NT | CheckPoint & Nokia Team Up to Unleash a Rockin' Security Appliance | Trend Micro Anti-Virus Server for Microsoft Exchange ~ A Secure Choice For Enterprise Wide Anti Virus Protection. | Security Snafu at NetBank | Freeware Vendor's Web Tracking Draws Curses | The "S" in SAP Doesn't Stand for Security (that goes for PeopleSoft too) | Content Technologies releases MIMEsweeper PolicyPlus | Hackers Will Be Out in Full Force On New Year's Eve | Analysis of Virgin Net's Hacker Scare | Network Associates RePositions Itself as a Security E-Village | Lexiguard™: The Coming "Adobe Acrobat" of Encryption | CyberPeepers from Korean Sites Peek at U.S. Networks | Would You Hire a Hacker? What Would Your Mother Say? | @Home Scans Own Customers | CIOs Need to Be Held Accountable for Security | New Market for Security Insurance | At Least Your Boss Can't Read Your Home E-mail, Right? Wrong! | PrettyPark Virus Litters Cyberspace | Packard Bell / NEC Leads Secure Etoken Deployment | Congress Acknowledges Outdated Banking Laws | How Secure is Your E-Mail? | Trend Virus Control System - A Centralized Approach to Protection | VPNs Are Hot, but What Are They? | ATM Machines Hacked in Moscow | How To Mitigate Holiday Cybercrime | Surf's Up at Akamai |