Author: Yogi Schulz
Outsourcing security is a touchy subject for CIO’s. Surveys indicate that over 50% of CIO’s say they will “never” outsource security. The most frequent reason given is that it’s too risky to trust a 3rd party with information security. Unscrupulous behavior on the part of outsourcer employees could have devastating consequences. In this view, outsourcing security is indeed an oxymoron. But is your risk really any lower with company employees?
Outsourcers promise the security service will be better than insourcing it. However, CIO’s will be nervous about the expertise and turnover among the outsourcer’s security management staff. But can you reduce these problems with company IT staff?
Outsourcers insist the security service will be cheaper than insourcing it. However, CIO’s will be skeptical based on examples of unhappy cost experiences with outsourcing other IT functions. But haven’t we learned how to manage outsourcing better?
Now what? Hiding from the security management issue, hoping that it will blow over, is unlikely to be a CIO’s best response as security threats and response complexities continue to grow.
Here’s the case for outsourcing security management to a Managed Security Service Provider (MSSP) with responses to the usual challenges to outsourcing.
Risks
How does a CIO know that the risks associated with working with a MSSP are really lower than the risks associated with an in-house solution?
Implosions of MSSP’s like Pilot and Salinas Network Services as well as on-going industry consolidation such as the VeriSign acquisition of Guardent have heightened the CIO’s sense of vendor risk.
First, the risk associated with MSSP upheaval can be largely mitigated by a carefully executed vendor selection process. Can your hiring and management processes similarly lower the risks for an in-house solution?
Second, despite all the attention given to external hacker attacks, up to 80% of attacks and data compromises occur inside the network. Can your in-house staff respond to internal attacks better than the MSSP staff?
Third, some of the MSSP risk is related to experienced staff reallocation to other clients and to staff turnover. Are your staff turnover risks with in-house staff any lower?
Service Quality
How does a CIO know that the benefits associated with working with an MSSP are really higher than the benefits associated with an in-house solution?
CIO’s wonder about immediate access to talent in a crunch. The MSSP staff is typically located far away; perhaps as far away as India. The in-house staff is just down the hall. They should be able to provide better service.
First, the variety of functions associated with security management keeps growing. Once companies did little more than reset passwords, monitor firewalls, delete e-mail spam and zap viruses and worms. Now spyware, more sophisticated hacking,intrusion detection and prevention, phishing, web scams, identity management, compliance reporting and patch management need increasing amounts of attention. Can your in-house staff rise to meet these demands?
Second, attacks against a single company don’t happen often enough to keep a team of this caliber focused, engaged and challenged. Boredom will undermine morale. Can you keep your in-house staff sharp between attacks?
Third, MSSP staff gain more experience than in-house staff through their encounters with many security problems among their many clients. How can you provide your in-house staff with the experience they need?
Cost
How does a CIO know that the costs associated with working with an MSSP are really lower than the costs associated with an in-house solution?
CIO’s worry that contracting with an MSSP may result in cheques paying for big bonuses and fancy perks for various executives or for flying a lot of high-priced help around among your various facilities.
First, in-house staffing for security expertise 24 hours a day, 365 days a year, requires five full-time employees plus supervisors and backup personnel. Even if your company is prepared to budget for all of these people, could you find them in today’s job market?
Second, retaining this skilled staff would be even harder. Security monitoring is inherently erratic. A typical pattern is weeks of boredom followed by hours of panic. Boredom will create restlessness. Can you keep your team from being picked off by head-hunters?
Third, security management requires an investment in computing infrastructure, software and telecom capacity. MSSP’s can amortize some of these costs across all their clients. Can you justify these costs solely for your company?
Shrinking Domain
A CIO may be tempted to keep security management in-house as a way of keeping the head count in the IT domain higher and maintaining his or her sense of self-importance.
Counteracting a shrinking IT domain through insourcing could be a move that will haunt the CIO in the aftermath of the first security breach.
An MSSP also adds value by being a convenient target for any blame. Never mind that poor management of the outsourcing relationship contributed to the security breach.
Conclusions
Despite concerns about trust and memories of other outsourcing deals gone bad, CIO’s will outsource more security management functions in the future. The shortcomings and costs associated with operating in-house security management preclude it as a viable alternative.
So where do you find a good CISO to manage the MSSP relationship when you need one?
In-house vs. Outsource Comparison Table
Security Management Comparison Criteria |
In-house |
Outsource |
MSSP Advantage |
|
Vendor risk
|
Lower
|
Higher
|
|
|
Service quality
|
Lower
|
Higher
|
 |
|
Cost
|
Higher
|
Lower
|
 |
|
Capital investment
|
Higher
|
Lower
|
 |
|
Skills/Expertise
|
Lower
|
Higher
|
 |
|
Staff turnover risk
|
Similar
|
Similar
|
|
|
Mature best practices
|
Lower
|
Higher
|
 |
|
Security breach risk
|
Similar
|
Similar
|
|
|
Customer mangement rime consumption
|
Higher
|
Lower
|
 |
|
Control
|
Higher
|
Lower
|
References/Resources:
The Case for Outsourcing SecurityBy Bruce Schneier
http://www.schneier.com/essay-084.html
File: The Case for Outsourcing Security.doc
Case Study: Outsourcing Threat DetectionWith an increasing number of threats and limited IT staff resources, one company turns to outsourcing network monitoring
by Mathew Schwartz, 11/15/2005
http://esj.com/Case_Study/article.aspx?EditorialsID=1558
CIOs asking if it’s time to outsource security“Nobody is sitting on the fence…”
By Will Sturgeon, 28 April 2005
http://software.silicon.com/security/0,39024655,39129968,00.htm
Companies Reluctant to Outsource Security FunctionsDate: 9 March 2005
Large companies are reluctant to outsource their IT security
http://www.computerwire.com/industries/research/?pid=F9C68BBD-F5E5-4CA6-BF1C-953D27523C89
Does Outsourcing Open a Security Hole?by Jill R. Aitoro, Industry Reporter, January 16, 2003
http://www.systeminetwork.com/nwn/story.cfm?ID=15910
Early advice for `06: Outsource securityDecember 12, 2005 8:33 AM PST
While I am an analyst who focuses on information security, I am a business guy at heart. With this background, let me offer some advice to my business peers: Outsource security (or some subset thereof) in 2006!
http://news.com.com/2061-11203_3-5991528.html
Guard against internal hackersTony Bradley, 05.05.2005
http://searchwindowssecurity.techtarget.com/tip/1,289483,sid45_gci1085776,00.html
Guidelines for Choosing to Outsource Security ManagementGartner says that outsourcing security management is not for everyone. If you’re going to do it, be clear about your expectations and structure a service-level agreement that reflects those expectations.
By Gartner Analysts Kelly M. Kavanagh, Mark Nicolett and John Pescatore
http://www.csoonline.com/analyst/report3574.html
File: Guidelines for Choosing to Outsource Security Management.doc
Is It Time To Outsource Security?By: Peter T. Davis, CIO Canada, 01 Nov 2000
http://www.itworldcanada.com/a/CIO/afbfb74f-d84c-4f9f-993a-633f2ec22fb2.html
Is Security Ripe for OutsourcingNetwork World 23 August 2004
http://www.networkworld.com/news/2004/082304outsecure.html
Outsource security for higher quality and lower costHailey Lynne McKeefry, 19 Nov 2001
http://www.wemanageservers.com/managed_security/internet_security/outsource_security/outsource_security_for_higher_.html
Outsource security with care, conference attendees warnWhat you outsource and to whom are key considerations in security contracts
Jaikumar Vijayan, Computerworld, December 10, 2001
http://www.computerworld.com/managementtopics/outsourcing/story/0,10801,66432,00.html
Outsourcing Security — More Firms Will Do ItBy Bill Brenner, SearchCIO.com, 09.02.2004
http://searchcio.techtarget.com/originalContent/0,289142,sid19_gci1004169,00.html
Report says Virtually All Big Companies Will Outsource Security By 2010A Yankee Group report suggests that the need to stay ahead of hackers will drive a move to outsource security to managed service providers.
By Gregg Keizer, TechWeb News, InformationWeek, Aug 23, 2004
http://informationweek.com/story/showArticle.jhtml?articleID=29116929
Security — can you afford NOT to outsource it?Carl Weinschenk, TechRepublic, March 31, 2003
http://insight.zdnet.co.uk/hardware/servers/0,39020445,2132745,00.htm
File: Security_can you afford NOT to outsource it.doc
Security Outsourcing ExposedPilot Network Services customers had to scramble when the managed security company suddenly went under. They soon learned that outsourcing security is a lot more complicated than they thought.
By Scott Berinato, CIO Magazine, Aug. 1, 2001
http://www.cio.com/archive/080101/exposed.html
Top Tips for Outsourcing SecuritySymantec’s head of Managed Security Services offers his perspective on what you should look for when considering a move to outsourced security
by Mathew Schwartz, 6/16/2004
http://esj.com/security/article.aspx?EditorialsID=1008
Why Enterprises Outsource Network Securityhttp://www.verisign.com/static/036282.pdf#search=%22stratecast%20MSSP%22
File: WP_out.pdf
Why Managed Security Services are so Popular in Financial Institutionsby Carl Annicq – EVP Corporate Account Program and Business Development for Ubizen – Friday, 20 June 2003.
http://www.net-security.org/article.php?id=512
Will corporate outsource security?The growing range of security threats may force more firms to use outside expertise
Phil Muncaster, IT Week, 16 Sep 2005
http://www.itweek.co.uk/itweek/analysis/2142412/corporates-outsource-security
