Web site defacement, identity theft, application sabotage: Very few organisations have the resources to defend their IT systems against the increasing variety and sophistication of malicious attacks.
This has led many analysts to advocate that organisations outsource the majority of their security infrastructure and has triggered a resurgence in the managed security provider (MSP) model both by specialist service companies and software vendors. Indeed, many security software vendors (such as Internet Security Systems) now offer customers the option of using hosted versions of their products. Adding to that momentum is the acute shortage of skilled security professionals who have the correct balance of up-to-date security knowledge, enterprise systems expertise, and an in-depth understanding of their organisation's overall strategy and concerns.
Systems, in many cases, need to be monitored 24 hours a day, seven days a week to ensure any acceptable level of security, says Graham Titterington, a security analyst at market research company Ovum. Furthermore, at least two employees need to be working simultaneously, so that an organisation is not putting too much trust in one. According to Titterington, the average organisation would need to employ at least five trained security professionals to work in shifts to achieve ’24×7′ security.
That expense alone convinces many companies to outsource this aspect of IT operations. According to analyst Laura Koetzle at market research company Forrester Research, the human elements of IT security cost an average company $700,000 annually, and this is without spending a cent on security products. This compares with an average price of $150,000 to outsource these functions to an MSP for one year, says Koetzle.
Another reason to outsource security to an MSP is because the majority of these companies can provide both the hardware and software as part of the service. This can be compelling, especially for small- and medium-sized (SME) companies, because of the speed at which security technology changes to defend against new threats. In most cases, security technology evolves faster than the value of an organisation’s existing security infrastructure depreciates, says Vaughan Davies, marketing manager for the services arm of Siemens Network Systems Limited (SNSL).
But larger companies can also benefit from outsourcing, especially if they have many distributed offices. Indeed, MSPs are more cost effective in this instance, argues Robin Dahlberg, UK managing director at security software vendor and MSP, Internet Security Systems (ISS). Outsourcing a distributed security infrastructure can ease the problems surrounding time zone differences, regional public holidays, incompatible data systems, and in ensuring security policy compliance across all the individual business units of an enterprise, says Dahlberg.
Although Ovum's Titterington and Forrester's Koetzle believe some security outsourcing is necessary to achieve a sufficient level of defence at a low cost, both caution businesses not to hand over all their security operations to MSPs and consulting service providers.
To begin with, organisations should begin outsourcing from the edge of their corporate networks and work inwards, advises Titterington. The services that they might outsource include : the configuration, management and monitoring of firewalls, the management of virtual private networks and their associated encryption software; the provision of up-to-the-minute anti-virus updates; and intrusion monitoring. Indeed, general monitoring and assessment are particularly appropriate services to hand over to third parties.
Effective outsourcing relies on achieving a good balance of responsibilities however, and organisations should not expect MSPs to take all of the work – or responsibility – off their hands. In fact, "the further you go into the innards of an organisation's infrastructure, the less useful it is to outsource the security aspects," says Titterington. Then again, where an organisation draws the line depends on its internal culture, and how much trust it has in its service providers.
For example, Titterington believes organisations should not outsource the provision of access controls. Information regarding who gets access to which data systems, at which times, under which circumstances, and from which devices, should be the responsibility of internal senior managers. In this way, the company retains control over the main gateways to internal data, he says.
Koetzle of Forrester disagrees. Managing access control, and the authentication infrastructure that underlies it, can be an expensive and time-consuming task, especially for large or distributed organisations, she says. For this reason, she advises companies to investigate outsourced access provision offerings from companies such as Access360.
Overall, businesses should understand that they will never be able to outsource the entire security function, says Iain Franklin, European vice president at hosted security provider Entercept: "At the end of the day, MSPs are just providing an alerting service for when something goes wrong. You will never escape from having staff on site to fix the problem, or physically re-boot the servers. The question is, how large should that presence be?"
There are certain security processes that vendors and analysts agree should never be outsourced. The first of these is the task of defining an organisation's security policy. The second is the analysis of ‘post-mortem' data after a security breach has occurred.
"Managed security only works well if you keep data on your security and strategy. We basically provide the operations, but the customer must provide the strategy," explains Ian McKenzie, head of marketing for security at MSP company Vistorm.
Indeed, for many companies, the reports provided by MSPs will be the first time they have seen such detailed information on their security integrity, says Koetzle. That in itself is valuable, because most companies do not know how much their security infrastructure, or lack of it, is costing them. Using data on the number, frequency, and type of attacks, companies can better understand their security risk and prioritise security policy accordingly, says Koetzle. "MSPs can look at a company's security policy and vet it to see if it is workable. But we can't check if it is right for the business," agrees SNSL's Davies.
The same advice applies after a security breach has occurred. According to Koetzle, it is vital that companies work out how much security breaches cost them, for example in terms of lost productivity or sales. But they also need to measure the effectiveness of the organisation's response to that attack.
Every organisation's decision to outsource security hinges on how much they trust their security service providers. For many companies, the solution is to hire several service providers to take care of specific tasks, so as not to place too much trust in any one vendor, says SNSL's Davies. In fact, Dahlberg says that many customers rotate service providers from month to month to maintain objectivity. However, Dahlberg adds that partnering with several service providers is expensive, and would be an "extravagance" for most small and mid-sized businesses.
But the flexibility to shift between different MSPs is not a bad thing for users, considering the financial frailty of many MSPs. The market is still in its infancy, and considering the capital investment needed to provide managed security services, it is not surprising that analysts expect many companies to close their doors or be acquired by more general application service providers or telecom carriers. Indeed, Dahlberg estimates that 60% of MSPs that set up shop in the US last year have since gone bankrupt.
It is this uncertainty about the future of many MSPs that has been an obstacle to growth in the market, and ironically, has hampered the prospects of some promising young MSPs. But considering the constant evolution of malicious activity on the Internet, it is becoming increasingly difficult for companies to manage their entire security strategy single-handed. Between defining security policy, building an infrastructure, and managing it on a daily basis, businesses are most likely to need the help of some kind of third-party specialist if they are to feel truly secure.