Two reasons traditionally prompt a company to outsource. Someone else can do the job cheaper (think printing), or the company doesn’t have the people to properly do the job itself (think payroll). But outsourcing IT security is a bit of an enigma.
Both are valid reasons to outsource security for thousands of companies yet, for some, often purely emotional reason, much of it is kept in house. Call it outsourcing’s last untamed wilderness.
By mid 2001 there was a rise in companies offering everything from managed firewalls and intrusion detection to designing, implementing and managing entire
security architectures. One IDC analyst went so far as to predict companies would be “outsourcing pretty much the whole security life cycle.”
But then came 9/11, and corporate perceptions and confidence took a hit. Intrusion detection systems (IDS) and firewall services are still doing brisk business but few, if any, companies are passing on all their security related issues to a third party.
Although the pendulum has recently started swinging back, experts no longer envision security ever being entirely outsourced.
“I do not believe it will ever go completely to the extent of payroll,” said Simon Perry, vice-president of security solutions with Islandia, N.Y.-based Computer Associates International Inc.
“I don’t think that there frankly is a large market, at least in Canada,” agreed Dan McLean, research analyst with IDC Canada in Toronto. Even the security practices with the large consulting firms are not that large, he added, noting that outsourcing represents less than one per cent of the Canadian business market.
Part of the reason people are looking less to third parties for solutions is trust, which seems to be a little harder to come by these days. “I think that [trust] always will be an issue and, I would say, it always should be an issue,” Perry said.
Though some of the larger, more established firms seem to be on solid ground, there is a perception that newcomers to the security outsourcing market will have an uphill battle selling their vision.
Solutions which access sensitive information, and have succeeded as an outsource model, tend to have had trust built in.
For example, outsourcing payroll started as a service from financial institutions. “They were already a trusted partner,” McLean said. It also offered to reduce corporate cost and pain. “Outsourcing payroll was a way of getting rid of a fairly major headache,” he said.
For myriad reasons – some real, some imagined – certain industries are more prone to the old-school thinking of keeping all things security in house (financial industry, telcos). But for most Canadian companies there are benefits to looking outside for some security solutions. In many cases they are both cheaper and better.
The two towers
Perry divides security into two areas: infrastructure management and strategic application design. The former includes network, systems management, operating systems management, application installation and maintenance, and help desks. Today many of these are successfully outsourced.
Strategic application design looks at overall strategy and will probably always stay in house, he said. Even those companies that hire a PricewaterhouseCoopers or Ernst & Young are not really outsourcing strategy, he said.
“It is consultants that are bolstering the existing staff as opposed to a lock, stock and barrel outsourcing of the whole thing,” Perry said.
McLean agrees, saying that companies need to retain control over defining security polices.
But for the infrastructure management side there is room to grow. In fact, most well defined security outsourcing solutions follow traditional outsourcing trends. “As new security technologies and techniques come in.where the skills base does not exist in house yet, they typically get outsourced for the first year or two,” he said.
Intrusion detection systems are a good example of this. Many companies did not have the skill sets to monitor their own networks when the technology came out. But by the time the contract was up for renewal, many companies had the personnel to do the job themselves. Thirty to 50 per cent of companies choose to bring IDS back in house after initially outsourcing it, Perry said.
Outsourcing other solutions, such as managed firewalls, is driven more by a desire to reduce costs. “The technology is very mature in its capability,” Perry said, adding that companies may decide employees are best used elsewhere.
Once the firewall “is in place and tuned correctly, then it is not much of a stretch to outsource it.”
– With files from
IDG News Service