Outsourcing of IT security services will increase dramatically over the next five years despite fears about turning over the keys to the company to an outside entity.The outsourcing security service in highest demand at Symantec is network monitoring for attempted or successful breaches of an organization’s security system. This is where customers get the biggest bang for their buck.Jonah Paransky>Text
IDC Canada estimates that the market for security services in Canada was $436 million in 2004. By 2009, says Joe Greene, IDC Canada’s vice-president of security research, it will be $846 million — almost doubling in a five-year period.
Yet many companies still consider the outsourcing of any IT security function to be anathema. For them, “outsourced security” is an oxymoron. Jonah Paransky, senior manager of security product management at Cupertino, Calif.-based Symantec Managed Security Services, places these companies at one extreme of a continuum.
At the other end are companies that hold no reservations about outsourcing all of their IT functions, including security. They see no distinction between contracting a security company to guard their facilities and contracting an IT security firm to deal with their IT security requirements.
Not surprisingly, most companies are somewhere between these extremes. However, there are significant differences between the market for managed security services and that for traditional IT outsourcing.
As Paransky points out, “The vast majority of customers pick and choose the particular service that they want to outsource.” They want to use their security service provider as an extension of their IT organization rather than as a replacement for the security function. In doing so, they gain access to specialized skills, which are in short supply, without giving up operational control or policy direction.
Paransky uses the term “out-tasking” to describe the approach his customers are taking to security outsourcing.
MONITORING IN DEMAND
The service in highest demand at Symantec is network monitoring for attempted or successful breaches of an organization’s security system. This is where customers get the biggest bang for their buck, according to Paransky.
Security event monitoring is no simple task. In addition to real-time monitoring of firewalls and intrusion detection systems (IDS) at a 24×7 security operations centre (SOC), security experts must collect huge volumes of relevant alert and log data from a multitude of devices, then carefully analyze this material in light of the client’s security environment and the global threat environment. The goal is to prevent breaches, or at least identify the target and advise the client on an appropriate response.
Many customers reserve to themselves the choice of best response. But they don’t usually consider the detection and identification of the attack to be a core competency. So most are willing to outsource this function.
“The reason,” Paransky surmises, “is that staffing to find the bad guys yourself on a 24×7 basis is very expensive. You have to staff a 24×7 team of security professionals who are engaged in what those professionals typically find mundane work — hunting through log data or looking at the output of an incident management product internally.”
Another high-demand service is what Symantec calls “element management.” This is the management of a particular security device or group of devices, such as firewalls or IDS devices. In addition to performance management, the service provider takes care of fault management and lifecycle and release management. In other words, they maintain these devices at their maximum level of effectiveness.
Companies are also willing to hire outsiders to assess and report on their vulnerabilities. This may take the form of technical system scans for weaknesses, or it may involve white-hat hackers who do penetration testing.
Outside security service providers are generally seen as hired guns for specific tasks. Asking one to take care of a single task is the norm. The common thread is that their customers see high value in the specialized expertise that these providers offer, but would prefer to avoid the cost of hiring their own staff to fill this role.
The high cost, and shortage of expert staff, is leading many companies to look at technological solutions, such as security appliances that perform more than one function and will send reports or immediate alerts. IDC’s Greene sees an important role for these devices as well as for managed security service providers.
They all have a part to play in a comprehensive, holistic plan that covers all aspects of security, which companies need to develop.
“You can have the best security technology in the world,” says Greene, “but if your employees aren’t trained properly, you can still be open to internal abuse, whether malicious or inadvertent.”
In addition, the threats are evolving so rapidly, that even technology can’t keep up with them.
One of the greatest current threats to security, phishing, is a social engineering vulnerability, not a technological weakness.
There are basic steps that companies can take, with or without outside help, to increase their security levels, says Greene. “The majority of companies in this country do not do audits on their security systems,” he points out. “If they do, it’s probably once or twice a year. Once they have their anti-virus, anti-spam and other programs like these in place, they don’t bother checking to see if they are working. That’s something that a lot of IT departments can and should be doing.”
Good policies and continuous employee education are essential. Here outside consultants and service providers can be particularly helpful, but it is important to select those with relevant credentials and references as well as experience in the client’s industry.
Smaller companies may find it easier to use infrastructure service providers that have strong security offerings.
One of these, Toronto-based ClearView Strategic Partners Inc., selected Fusepoint Managed Services to provide the infrastructure for their online whistleblower service, largely based on high level of security Fusepoint offered.
ClearView provides a secure Web site, where their clients’ employees can confidentially report on corporate wrongdoing, such as spending irregularities. If these reports were leaked, great harm could come to an organization, an employee, shareholders and even to the public.
Security and confidentiality are obviously of utmost importance to ClearView’s business model, but, as executive vice-president of sales and marketing, Phil Enright explains, “it didn’t take us long to realize that the cost of building our own secure data centre would be far greater than the cost of outsourcing.”
In addition to the physical security, ClearView gets the benefit of Fusepoint’s expertise in firewalls, anti-virus software, intrusion detection, patch management and threat analysis.
“All of the customers that we take to the data centre are blown away by the level of security,” says Enright. “They come away saying ‘We have no concerns about the security of our data.’”
On their side, Fusepoint’s CEO, George Kearns, agrees that the client has to have a high level of confidence in the outsourcing partner. But they also have to develop effective ways of working together. They can’t just assume that everything is taken care of.
Joe Greene adds that, when it comes to security, clients have to educate themselves about the threat environment and the potential responses available to them.
They have to know what’s happening in th