Outsourcing security a good plan, but be careful out there

Can you trust an outsider to handle your information security? Yes, if you proceed with caution and ask all the right questions.

by Johanna Ambrosio

Paying someone else to watch over your information is a good business strategy, experts agree, but you need to make this move only after a considerable amount of up-front planning and research.

First, you should never outsource all of your security needs. Second, you need to pay extremely close attention to know exactly what you're buying -- what's included in the contract. And third, you must select your provider very carefully, especially given the recent failure of two high-profile security outsourcers.

Just about all businesses, whether large or small, can benefit from some degree of outsourcing. But the smaller you are, the more likely that you'll need to let someone else manage a good portion of your security.

__________________________________
SPONSORED BY: EMC

How did Oracle consolidate its worldwide IT infrastructure and save over a billion dollars in operating costs?

1. By partnering with EMC to seamlessly consolidate 43 worldwide data centers into two locations, serving 43,000 employees in 145 countries.
2. By leveraging an EMC E-Infostructure to power their CRM, ERP and Financial applications
3. By consolidating server storage to EMC Symmetrix systems to eliminate recurring storage-related downtime

Find out how EMC's networked storage solution, software, and global services helped Oracle improve availability, increase IT resource efficiency, and reduce total cost of ownership.

To learn more, click here.

__________________________________

Be careful, though, not to abdicate all your security needs to an outsider. "Outsourcers shouldn't be your only security option," warns Cate Quirk, an analyst at AMR Research in Boston. "You need to keep your intellectual property or public-key infrastructure or secure ID layout closer to home with an in-house security administrator. You don't want an outsider to have complete and total control over everything," she says.

There are dozens of specialized security outsourcers -- also called managed security service providers (MSSPs). The most popular array of services includes selecting, installing and monitoring three key systems: your corporate firewall, virtual private network and intrusion-detection setup. Managed antivirus services and Web content filtering and blocking are becoming more popular, says Allan Carey, a senior analyst at IDC in Framingham, Mass.

All of these services can be purchased discretely or as a bundled suite, depending on your needs.

Prices are generally based on one of two things: a flat monthly fee, or one that's based on the number of systems and devices that are being monitored. Monthly fees can range from $2,000 to $15,000 or more, depending on what level of service you want.

You can, for example, choose to have all your audit logs delivered to you unedited. Then you'll need to go through them to see what's being hacked on your network. Alternatively, your MSSP will aggregate and go through the logs for you, and will deliver summary data that explains where your vulnerabilities are.

Similarly, if there is a problem, you can elect to have the MSSP deal with it -- find and fix the issue either on- or off-site -- or you can choose to resolve the problem yourself.

Another issue that affects the price you pay: whether the MSSP is monitoring your systems and is available to resolve any problems on a 24x7 basis. And it's worth asking how many people at the MSSP's shop will be available to you, either on a dedicated or as-needed basis, as well as what the response time is in the event of a security breach. Another issue to raise is scalability. Make sure your provider can grow with your business.

Also, keep in mind that services can vary a great deal from vendor to vendor, which makes doing apples-to-apples comparisons difficult.

The big names in the MSSP field include Riptech Inc. in Alexandria, Va., Internet Security Systems Inc. in Atlanta, and Counterpane Internet Security, Inc. in Cupertino, Calif., AMR's Quirk says. Other providers include Foundstone Inc. in Irvine, Calif., and Guardent Inc. in Waltham, Mass.

This list used to include two more names: Pilot Network Services and Salinas Group, both of which recently shut their doors with no warning to customers. Their failure, especially in an area as mission-critical as security, points to the need for customers to do a lot of examination before settling on a vendor, Carey says.

"Both Pilot and Salinas were companies that had been around for a while," Carey explains. "That's one of the reasons that many perspective customers are asking MSSPs for financial statements as well as customer references, to make sure the vendor is financially stable." Most suppliers, even private companies, will share financial information with would-be clients under nondisclosure agreements.

Despite the market casualties, IDC is predicting that the need for managed security services will continue to grow by a compound annual rate of approximately 28%. Carey says that the U.S. market in 2000 was around $720 million, and this should grow to around $2.4 billion in 2005. In addition to the increased need for these kinds of services, a shortage of IT security professionals will help fuel the growth, he says.

Carey suggests that customers "look carefully at service level agreements and examine where the liabilities are placed" -- on the service provider or the customer. He also advises to start small, by outsourcing one or two small components of your security, and then assessing how it's going and adding more services if you're happy. "It can be an incremental process," he says.

MORE ON THIS TOPIC:

Read about outsourced security options in searchServiceProvider's Best Web Links.

SearchSecurity has assembled resources on managed security in this featured topic.