Outsourcing security gains appeal

Recent research from Stamford, Conn.-based Gartner Group Inc. indicates that by the year 2003, 50 per cent of small- and medium-sized enterprises that manage their own network security, and use the Internet for purposes other than e-mail, will experience a successful Internet attack. And more than 60 per cent of those enterprises won’t even know it.

For more and more companies, outsourcing security is becoming an obvious and easy choice. By simply outsourcing security needs, there is one less thing for the IT staff to worry about.

Dan McLean, a research manager with Toronto-based IDC Canada Ltd., noted that according to research done by his firm, a lot of companies are choosing to use third-party companies for their security needs.

“Companies are finding that hiring someone with the expertise is really difficult,” he explained. “In the whole space of security, I would say that most of the expertise that’s out there in terms of the people, are really connected with vendors and with third-party service providers. I think companies are going to be hard-pressed to hire a security expert themselves.”

Richard Stiennon, research director of network security with Gartner Group, agreed with McLean and noted that by hiring someone else, enterprises will have an expert on call, 24 hours a day, seven days a week.

“The other advantage is that the investment in infrastructure that a large service provider has can’t be matched by most enterprises – only the very large ones,” Stiennon said, citing as examples redundant systems, redundant connectivity and the high-availability of support features.

So how should companies choose which third-party to go with? In Canada, it is probably best for companies to talk to any of the major consulting companies or systems integrators, because most of them have developed practices around security, McLean said. IBM, Ernst & Young, PriceWaterhouse Coopers and CGI are all options.

There is a lot of help available, so it is really just a matter for companies to figure out what they want to do, he said.

“The whole process of what you should be implementing security-wise begins with that front-end assessment piece…(identifying) the level of risk that you feel that you can expose your IT systems to. And that’s a consulting type of engagement,” McLean said.

“Any third-party that starts with that premise is probably a good company to be talking to,” he said.

Network administrators should be looking at three things: the assets that need to be protected within the company; the level of vulnerability that they are exposed to; and the degree of threat that is out there. From there, the next step would be to look at solutions, with which a third-party can also help.