Outsourcing Security
Part 2: Measuring the Cost
Jim McLendon -
4/9/2002
Introduction
For organizations of all sizes, outsourcing security is becoming an increasingly attractive method for maintaining a strong security posture. In fact, outsourced security is the fastest growing segment of the information security services market, according to a recent Gartner Dataquest study.
Often, the decision to outsource security is based on cost: Can the company effectively outsource or co-source security management functions while still realizing a good return on investment?
The following is part two of a three-part series on outsourced security. This article helps organizations calculate the cost for managing security and provides a real-life scenario of cost comparisons to help organizations build a foundation for a financial analysis when considering a managed security services provider (MSSP).
This
is Part 2 of a 3-part article.
Part
1 noted the benefits of outsourcing security.
Part
2 evaluates the cost of such an outsourcing.
Part
3 will provide guidelines for selecting a security services provider.
Bolstering Budgets
Along with a rise in cyber attacks, experts say the outsourced services market is growing as a result of the September 11 terrorist attacks. The tragic events have caused a marked increase in government spending, much of which will be directed to consultants and outside managed security service providers.
Gartner estimates that as much as 40 percent of all external IT spending went to services in 2000-as opposed to purchases of hardware or software-and IT services will account for 45 percent of all end-user spending by 2004. In dollar figures, Gartner says worldwide spending is valued at $363 billion today, and should reach $569 billion by 2004.
Calculating Costs
Evaluating the cost of outsourcing can be challenging because most organizations cannot fully estimate the financial impact of such a decision. In fact, a recent InfoWorld outsourcing study of 100 technology professionals said that 61 percent of organizations did not know how much money their company would save in the next 12 months by outsourcing IT functions. This is true for most organizations considering outsourcing security services.
When a company considers outsourcing managed security services, it must estimate several variables over the duration of the managed security services contract:
- All
relevant capital and operating costs
- Costs
of supervising the managed security services provider
- The
"cost of money" and interest costs
- Residual
value of equipment and facilities
- Cost
of transition, including personnel
- Cost
of changes in direction and level of resources
- Cost
of contract modifications
In
addition, the range of services an MSSP provides can vary. Some MSSPs will only
manage certain security products and technologies and require a specific brand
of security technology be purchased or swapped-out for an organizations' existing
technology. Other MSSPs require additional purchases of specialized or proprietary
technology for log file and event stream collection, analysis, and filtering.
To effectively compute the total cost of ownership of in-house security management, a wide range of costs must be considered over a number of years. A company must identify and evaluate both overt and hidden costs. The following sections list many of the costs of a security management program.
Equipment
Hardware
and software costs
For in-house security management, companies must determine the cost of all hardware
and software necessary for security management and operations. This includes
servers, PCs, and peripheral equipment, as well as all associated operating
systems, database, application, and security software. Additional hardware and
software required to support the security operations include system and network
management tools, help desk systems, integrated management consoles and knowledge-based
management systems and software.
License
costs
The cost of all software licenses, including patches, incremental updates, and
new versions of the software should be calculated over the expected software
lifecycle.
Maintenance
Maintenance fees for software and equipment must be factored into the total
cost of ownership. Software maintenance is typically 15 to 25 percent of the
list price of the software annually. An organization with $1 million in software
licenses will pay $150,000 in maintenance costs (on the low end) each year.
Companies should be aware of the level of support they receive for that cost.
Some managed security services contracts provide 8 or 10 hours of coverage and
support, while others deliver 24x7 support.
Personnel
Staffing for information security professionals is perhaps the most crucial,
most difficult, and most costly component of an effective security management
program. The top market challenge is hiring and retaining a skilled base of
security professionals. The cost of staffing includes not just the cost of salaries,
but also additional compensation (bonuses, stock incentives, etc.), space, and
equipment costs, and the cost of ongoing education and training. The salaries
of security administrators and officers vary depending on geography and level
of skill and expertise. According to a recent survey by InformantionWeekresearch.com,
average compensation for staff level (not management) information security professionals
in the Dallas area is:
| High |
Average |
Low |
| $88,375 |
$71,750 |
$64,000 |
If
a company has a typical 8 a.m. to 5 p.m. operations day, but plans to expand
to 24x7 security operations, then it must consider staffing multiple shifts
of workers to provide coverage 365 days per year:
- Shift
one for the morning
- Shift
two for afternoon/evening
- Shift
three for evening/early morning hours
- Shift
four weekend work and time-off-coverage for shifts one, two, and three
Thus, it would take a minimum of four resources to cover one seat in a 24x7 security operation. And these additional resources would need a range of expertise or specialization in different types of security issues.
Recruiting
Due
to high turnover rate in the IT field, organizations also need to consider the
cost of recruiting. Whether internal HR staff or external recruiters are used,
the cost of recruiting may average 20 to 30 percent of total annual compensation
costs of the position being recruited.
Training
and education
Ongoing training and education of security professionals is essential to honing
skills and, more importantly, keeping staff current in an ever-changing, fast-paced
technology environment. Ongoing education must encompass the latest security
tools and technologies, threat techniques, and protection strategies. Costs
in this area may include:
- Product
or technology training
- Training
in general security awareness
- Certification
preparation classes Certification costs
- Attendance
at major security conferences or shows
- Books,
magazines, subscriptions, journals, or e-learning courses to keep security
professionals abreast of the latest technologies, tips, techniques, threats,
and safeguards in the industry
It is typical for organizations to provide guidelines on the amount of training employees receive each year. A minimum of two weeks is frequently provided, but more is often necessary. Most security courses are one week in duration; therefore, each employee would be eligible to attend two security courses per year. Since the cost of courses may range from $1,500 to $3,000, a typical cost per headcount for training would be $5,000 a year.
Facilities
Security
Operations Center
The cost of building and staffing for 24x7 security operations can be extremely
high. It is cost-prohibitive for most organizations to build or lease a security
operations center (SOC), as building or leasing space in a network/security
operation center can exceed $100 million in capital expenditure. If existing
space is already established or available for security management and monitoring,
the build-out cost for a reasonably sized security operation center, perhaps
30 seats, will be upwards of $1 million. The costs can be extreme for many organizations
once required equipment, fire suppression systems for high-availability, redundant
operations and other features are combined.
Setting a Scenario
Example:
In-house versus outsourced managed security costs
When considering the expenses and cost associated with in-house versus outsourced
security management over a two-year program for a mid-sized company, the benefits
and cost savings of a multi-year managed service contract should be considered
in totality. In some cases, the first year's savings may be considerably higher
when compared to subsequent years, as security requirements evolve and change.
Company
Profile Sand Pharmaceuticals is a pioneer and world leader in
discovering new treatments for debilitating diseases and medical conditions.
The company employees 3,000 personnel and has an IT staff of 40, with five dedicated
to managing information security. Sand Pharmaceuticals has implemented firewalls
and is now deploying intrusion detection system (IDS) technology. For maximum
protection of the company, its security staff has deployed three firewalls and
also needs network-based IDS for six network segments, and host-based IDS 24X7
on 10 critical servers in the enterprise.
| Year
1 |
In-house
8AM to 5PM
(5 staff) |
In-house
24X7 operations
(15 staff) |
Outsourced
MSS Solution |
| RESOURCES |
| Salaries
(1) |
$501,000 |
$1,503,000 |
N/A |
| Training
(2) |
$25,000 |
$75,000 |
N/A |
| Recruiting
(3) |
$37,575 |
$288,075 |
N/A |
| EQUIPMENT |
| Software
(4) |
$81,875 |
$81,875 |
$81,875 |
| Maintenance
(5) |
$12,281 |
$12,281 |
$12,281 |
Implementation
and Setup (6) |
Cost
varies |
Cost
varies |
$23,960 |
| Management |
N/A |
N/A |
$348,000 |
| Total |
$657,731
+ set up |
$1,960,231
+ setup |
$466,116 |
| Year
2 |
In-house
8AM to 5PM
(5 staff) |
In-house
24X7 operations
(15 staff) |
Outsourced
MSS Solution |
| RESOURCES |
| Salaries
(7) |
$546,090 |
$1,638,270 |
N/A |
| Training |
$25,000 |
$75,000 |
N/A |
| Recruiting
(8) |
$40,957 |
$112,870 |
N/A |
| EQUIPMENT |
| Maintenance
(5) |
$12,281 |
$12,281 |
$12,281 |
| Management |
N/A |
N/A |
$348,000 |
| Total |
$624,328 |
$1,838,421 |
$360,281 |
| (1) |
Based on InformationWeek Salary
Advisor. Mean high total compensation (including salary, stock options,
and bonuses) of typical security professional in Houston, Texas. Salaries
of typical security professionals in Houston, Texas. Salaries include four
staff ($88,375) and one manager ($147,500). |
| (2) |
Training cost estimated at $5,000
per employee based on two classes per year at industry standard prices for
security training courses. |
| (3) |
This scenario assumes the company
already has the five daytime positions on staff. It also assumes a conservative
30 percent annual turnover rate for security personnel. To plus up for 24X7
in-house operations, first-year recruiting costs are high because, in addition
to the 30 percent turnover of the original five positions, 10 new positions
are necessary. Recruiting cost is based on 25 percent cost of total annual
compensation for in-house security professionals. |
| (4) |
Software cost based on three
unlimited user licenses for Symantec Enterprise Firewall/VPN. Symantec NetProwler
IDS licenses for six network segments, and Symantec Intruder Alert host
IDS licenses for 10 servers. |
| (5) |
Maintenance cost based on 15
percent of software license cost. |
| (6) |
Setup cost includes implementation
and setup services for remote management and ongoing maintenance for software.
Without MSSP, implementation services are costlier and company must provide
ongoing software maintenance (upgrades, patches, etc.) with internal resources. |
| (7) |
Salary increases based on average
high 9 percent increase over previous year. |
| (8) |
This scenario assumes a conservative
30 percent annual turnover rate for all security personnel. Recruiting cost
is based on 25 percent cost of total annual compensation for in-house security
professionals. |
Assuming
the company keeps its five daytime IT security staff for mission-essential in-house
security support, first-year savings for outsourcing 24x7 security operations
is approximately $836,384. Second-year savings for outsourcing 24x7 security
operations is about $853,812.
Coming to a Conclusion
Making the decision on whether to staff in-house for security services or hire a managed security services provider is a decision best made with much research and budgetary scrutiny with scenarios ranging over a number of years, focusing on maintaining a strong security posture while enabling revenue-generating e-business functions. In the end, many say the price of performing this business audit and possibly adding managed security services is small when compared with the cost of losing customer confidence due to security breaks.
This
concludes Part 2 of a 3-part article.
Part
1 noted the benefits of outsourcing security.
Part
2 evaluates the cost of such an outsourcing.
Part
3 will provide guidelines for selecting a security services provider.
About
the Author
Jim
McLendon, Vice President of Symantec Security Services Global Business
Development, has more than 40 years experience in information security and information
operations. McLendon joined AXENT, and subsequently Symantec through acquisition,
after a distinguished career with the United States Air Force. As a retired
colonel, he has a wealth of expertise and command experience in special operations,
intelligence, and electronic warfare and information warfare. He has managed
large, diverse and geographically separated organizations, with leadership responsibilities
for more than 2,100 highly technical personnel. Much of his career was spent
in locations such as Taiwan, Vietnam, the United Kingdom, and Germany.
McLendon
is a graduate of both the Air Force's Air War College and Air Command and Staff
College. He earned his Masters of Science degree in Human Resources Management
from Troy State University and his Bachelor of Arts degree in Management from
the University of Maryland.
He
can be reached at Jmclendon@symantec.com
or for more information on Symantic Security Systems, go to www.symantec.com.