A recent report from the Yankee Group points to increasing government regulations, an ever expanding number of threats and vulnerabilities, and rapid changes in security technology as the reasons that 90 per cent of all corporate IT security will be outsourced by 2010.
There are few areas of IT that are as contentious as outsourcing and security, and when they are combined the result is like nitrating glycerol: explosive. But the simple fact is the last bastion holding off outsourcing is ripe for change as more and more security technologies become commoditized, and thus outsourceable.
In fact, the report says the move to outsource is well under way with the likes of intrusion detection and virus scanning already being offered extensively as managed security services.
The Yankee Group puts these services into what it calls first and second generation of outsourcing, heavily dominated by products. As the decade progresses, phases three and four of security outsourcing will move into pervasive security (penetration testing, wireless VPNs, et cetera) and persistence security (Web services and VoIP security, et cetera). By 2008 the global managed security market will grow to US$3.7 billion the report forecasts.
“I think that it is a bit of a misconception…that security can not be given over to a third party,” said Matthew Kovar, director of security solutions and services with the Yankee Group, and the report’s author.
Times have changed, he said. “It would have been heresy 15 or 20 years ago to think you’d let some of your employee (HR) data…outside the organization.” Today it is commonplace.
Whether or not government regulations such as PIPEDA and Sarbanes-Oxley will push IT outsourcing is debateable. Boston-based Kovar said in the report that the regulations require “rapid expenditures on technology, processes and documentation to ensure the separation of operations from line-of-business activities.”
By definition these regulations increase a company’s risk posture (there are simply more things that can be deemed illegal now) and the only way to hold costs down is to outsource a portion of the security. It is a failed notion that a company can reduce risk while spending the same on security —“unfortunately those economics don’t work,” Kovar said.
But Rosaleen Citron, CEO of WhiteHat Inc. in Burlington, Ont., said she has seen government regulation do just the opposite. Companies “are bringing security home because of compliance.” This is especially true for financial institutions, and pharmaceutical and insurance companies where the risks of failure to comply are extremely high, she said.
Both agreed, however, that small and medium enterprises are more likely to opt to outsource much of their IT security for purely fiscal reasons. Citron said few companies in the mid-market would be making a fiscally sound decision by opting to pay out $250,000 in capital cost to secure themselves versus an $8,000 annual expense to outsource the same solution.
“Some of the smaller and mid-sized companies just can’t afford to have a group…monitoring their systems and networks 7×24,” agreed Nick Galletto, partner with Deloitte Security Services in Toronto. “The biggest challenge is just having the people,” he added. At the enterprise level Galletto said the story in Canada is very different. “We haven’t seen anything large to the extent that they have outsourced their whole, entire security department.”
Overall “I believe [IT security outsourcing] will increase, (but) I don’t know about dramatically,” Galletto said.
But before a company decides to write off outsourcing security altogether, it should run an audit to find the actual cost of securing its technology. Executives may find it surprising how many aspects of, say, one remote worker’s IT are security related. Once you factor in the security group, the VPN/network costs and the software, “you are spending a hell of a lot more on security than you ever thought possible,” Kovar said.
Regardless of whether you choose to outsource none, some or all of your IT security, there are two things everyone agreed upon. The first is the need to hire third-party auditors to see if your corporate IT security is doing everything it says it is, whether it is outsourced or not. If a potential security-outsource contractor hums and haws about your desire to bring in an outside opinion, “that is the red flag,” Citron said. And this includes all of the big players. A few years back the likes of IBM or HP might have brushed off such a request, she said. Not anymore.
Another reason to get outside help, according to Steve Poelking, director of security and infrastructure management research with IDC Canada Ltd. in Toronto, is that “it is hard for companies to outsource when they don’t have a real good baseline on how they are doing versus (others in their industry) and the cost of that.”
The second unanimous suggestion was to keep all security policy and governance in house.
At the end of the day a company can pass off as much security as it likes but it is always responsible for any failures, Kovar said. “That is very central to the debate around security.”