Our last presidential campaign raised a lot of ire over the subject of outsourcing. Network security outsourcing is facing its own controversy within the security field, not over social concerns but over issues of trust.
The most frequently outsourced networked security services are the selection, installation and monitoring of the corporate firewall, virtual private networks and Internet setup and services. Managed antivirus services and Web content filtering and blocking are becoming increasingly popular. But is it safe to put these services in the hands of an outsider?
Why Do Companies Outsource?
Why do companies outsource? It’s clear now that protecting the network perimeter alone is insufficient. Isolated security products have vulnerabilities that perimeter protection fails to take into account, so the best approach involves securing critical assets, networks and information systems while implementing robust defenses against hackers, viruses and other online threats. It may be difficult or impossible to employ security staff capable of dealing with all these threats.
In many companies, network security staff have system responsibilities and activities that go beyond security. In addition, understanding and defending against the latest threats requires constant education of staff, delegation of additional tasks, and proactive monitoring, maintenance and upgrading of the firm’s network protection. This can result in an ongoing need to add security staff, which also adds to the budget for staff, related benefits and IT products.
Financial savings and staffing challenges are two of the most-cited reasons companies outsource network security. Third-party security service providers offer competent handling of routine security activities (i.e. monitoring and maintenance of hardware, software, traffic), and they can prepare the numerous reports required by government regulations. With these tasks out of the way, companies can focus their internal efforts and personnel on more critical security functions.
There are, of course, certain risks in outsourcing security functions. When you outsource, you are allowing outsiders into your network. Can you trust the firm to which you’re outsourcing? Is the provider vigilant about the background and expertise of their personnel? Is your network safe?
Many companies feel that because of compliance issues in their industry sector, it’s necessary to develop a network core competency in-house, and that outsourcing can serve to defeat this objective. Total control of security should never be ceded to an outside provider. While it may be possible to hand off management duties, most companies find that keeping control of critical functions is vital to a successful security program.
Managed Security Services
When cost and complexity seem unmanageable, a managed security service provider can provide a level of technology, training and expertise that ensures immediate and appropriate response to real threats. Gartner anticipates that during 2005 the demand for MSSP will increase by a compound annual growth rate of 31 percent, and The Yankee Group says that outsourced security services will reach $1.7 billion in 2005. Large companies such as Cisco, Symantec, Level 3 and Verisign now offer expanding MSSP practices.
In order to reach their potential, MSSPs will have to overcome the bias many companies have against letting an outsider run their security. And since no MSSP offers total reliability, companies must negotiate smart contracts that provide for insurance and compensation for damages.
Picking Your Provider
Outsourcing is a big step for a company to take, and one that is not easily reversible. If you’ve decided to outsource, the next step is choosing a reliable provider. Take the following considerations into account before you make your final decision.