The managed security services sector was born in the final splutters of the dot-com fuelled technology boom. Computer security had grown too complex, too important and too costly for organisations to do it on their own, so why not outsource it to the specialists?
That logic spurred $1 billion worth of investment by venture capitalists, as managed
security start-ups build up their infrastructures and honed their marketing messages.
But within a year, much of that money had been wasted as wild over-optimism turned to realism, and customers held back commitments, wary of the capabilities – and viability – of many service providers.
A lot has changed in three years. The security challenge has become more complex, costly and time consuming, encouraging organisations to seek outside help. And the whole managed security sector has matured and established where it can add most value.
Experience with relatively low-cost and simple to set-up outsourcing services such as antivirus email scanning has encouraged many to look further afield – to firewall monitoring, for example.
Moreover, many IT professionals and analysts feel that the tools have not kept pace. The number of Internet applications being run in a typical organisation have made firewalls less than sufficient for keeping hackers out.
In addition, the intrusion detection devices that once promised to sound the alarm whenever an attack was detected have been derided by analysts such as Gartner due to the number of false alarms they generate – hundreds, maybe thousands, every day.
That is not always the fault of the tools, says Ray Stanton, director of the UK security practice at Unisys: “Too few security professionals, let alone ordinary IT staff, are prepared to put in the time and effort required [to fine-tune products].”
That is one area where managed security services suppliers promise to reduce the pain. They can configure intrusion detection and other devices and export their log files through a one-way opening in the firewall. That data can then be mapped against other ‘events’ that the managed services supplier is aware of at sites across the world – something that no single company can do in-house.
“That’s the huge advantage that external monitoring brings to organisations,” says Richard Archdeacon, head of technical services in Northern Europe for Symantec. “It enables us to identify and monitor patterns so that we can see whether a particular incident is isolated or part of an overall trend.”
However, hiring a managed security services company does not mean that the in-house security team is redundant. Far from it. Creating, enforcing and updating the corporate security policy, for example, will always need to be worked out between the IT or security departments and management to ensure that it is tailored to the organisation’s needs.
In addition, the managed security services provider will always need specialists at the client site to liaise with about security issues. “Leadership responsibility… is something that should never be outsourced,” says Tom Scholtz, an analyst with the Meta Group.
If a new Internet worm is discovered, someone representing the client needs to be on hand to authorise the closure of a port on the firewall that can stop it in its tracks – because closing that port might bring a mission critical application shuddering to a halt as well.
But outsourcing can alleviate the administrative burden on security staff, enabling them to devote more time and energy to dealing with higher level issues.