Firms start looking outside for security

When it comes to security, there are many approaches that can be taken and a lot of issues to be considered: What is the available budget? How much staff can be devoted to the security of the network? And how safe is safe enough?

Recent research from Stamford, Conn.-based Gartner Group Inc. indicates that by the year 2003, 50 per cent of small- and medium-sized enterprises that manage their own network security, and use the Internet for purposes other than e-mail, will experience a successful Internet attack. And more than 60 per cent of those enterprises won’t even know it.

For more and more companies, outsourcing security is becoming an obvious and easy choice. By simply outsourcing security needs, there is one less thing for the IT staff to worry about.

Dan McLean, a research manger with Toronto-based IDC Canada Ltd., noted that according to research done by his firm, there are a lot of companies are choosing to use third-party companies for their security needs.

“Companies are finding that hiring someone with the expertise is really difficult,” he explained. “And right now, in the whole space of security, I would say that most of the expertise that’s out there in terms of the people, are really connected with vendors and with third-party service providers. I think companies are going to be hard-pressed to hire a security expert themselves.”

Richard Stiennon, research director, network security with the Gartner Group, agreed with McLean and noted that by hiring someone else, enterprises will have an expert on call, 24 hours a day, seven days a week.

“The other advantage is that the investment in infrastructure that a large service provider has can’t be matched by most enterprises – only the very large ones,” Stiennon said, offering as examples redundant systems, redundant connectivity and the high-availability of support features.

So how should companies choose which third-party to go with? In Canada, it is probably best for companies to talk to any of the major consulting companies or systems integrators, because most of them have developed practices around security, McLean said. IBM, Ernst & Young, PriceWaterhouse Coopers and CGI are all options. He added that any and every national systems integrator or service provider with a national scope has a security practice.

There is a lot of help available, so it is really just a matter for companies to figure out what they want to do, he said.

“The whole process of what you should be implementing security-wise begins with that front-end assessment piece…(identifying) the level of risk that you feel that you can expose your IT systems to. And that’s a consulting type of engagement,” McLean said.

He said there isn’t much variation in what the large services companies offer and what their approaches to security are – they have mostly all adopted the same model of risk assessment and figuring out what level of risk a company feels it can expose its systems to.

“Any third-party that starts with that premise is probably a good company to be talking to,” he said.

Network administrators should be looking at three things: the assets that need to be protected within the company; the level of vulnerability that they are exposed to; and the degree of threat that is out there. From there, the next step would be to look at solutions, which a third-party can also help with.

Chris Byrnes, a vice-president with the META Group in San Diego, explained that his firm divides most complex tasks into three phases: planning, building and operating/running. He stressed that any company interested in hiring an outsider for security needs to consider what should and should not be outsourced. He also said that while a lot of companies are using third-parties, most are only using them for a very specific sub-set.

“If we look just at the run phase services, that’s where you’re actually spinning out some part of security operations,” Byrnes explained.

Things such as a managed firewall, managed virtual private network, and managed intrusion detection can all be outsourced to a managed security provider, and it is theoretically safe to spin those things out, Byrnes said.

“A year ago, there were no third-parties doing it well enough that we could recommend it, and what’s happened is that managed firewall has matured as a service offering. Now you can do that fairly well,” he said. “Managed VPN is coming along nicely, so in some circumstances it works okay to spin that out. Managed intrusion detection is brand new – there’s only about 15 companies in the world that have outsourced their intrusion detection, and so the vendors are still trying to figure out how to do it, and how to do it well. There’s a lot of maturing to take place.”

And when it comes to money, McLean said, “Security can be something of a money pit. You can impose a lot of security and spend a lot of money, but frankly, you may not need it all.”

That is another reason why speaking with a third-party company can be helpful, because they are able to help customize a solution for their customers. That can, in fact, save money in the long run.

Gartner’s Stiennon said security is something that can be difficult to cost-justify.

“Network security costs are usually buried in the budget,” he explained. “The personnel doing it are not dedicated, so it pulls a lot of the existing costs into something much more visible – it’s something you’re paying to an outside supplier. So it is difficult to cost-justify it solely on the numbers. In other words it will appear to be a larger cost to outsource firewall management.”

But, he said the overall security stance is probably improved, so in reality companies are getting more for their money. And while they might have been vulnerable, they wouldn’t be anymore.

Gartner Group has a list of sixteen points to help companies make the decision of which third-party company they should choose to outsource their security services to. Stiennon said that of that list, some of the more important things to consider are:

– Look at that company’s personnel — what type of people does the company have working for it? Do they have good credentials and experience?

– Look at the level of physical support around the company’s services — its network operation centre (NOC) and the types of products, such as hardware, that it will supply to you.

– Definitely look at the company’s longevity. “This is not going to be a simple switch-over,” Stiennon said. “If they go under, or you decide you don’t like them, it will be critical that this is a long-term relationship. Look at their financial backing, and get references from other customers.”

– Look at working out an adequate intrusion response procedure. “The company should be able to work well with you in the case of an intrusion or intrusion detection, and the notification procedures should be spelled out and you should be comfortable with it.”

META’s Byrnes offered one more piece of advice to consider when it comes to third-parties. He said that as there is a lot of turn-over in the security space, it is important to lock in and control who it is from the company that is going to be handling your work. In fact, he recommends getting it put into a contract.

“A vendor may bid telling you certain people are going to be on the contract to fulfil your needs, and by the time the contract actually starts to be executed, all of those people have left the company,” he explained. “So they put junior people in to do the work.”

By locking in who does the work, companies can stop third-party vendors from just putting in whoever they want, he said.