As businesses cut costs and optimise resources in a world after the crunch, outsourcing is increasingly attractive.
Outsourcing any business function, from HR systems to security, can be a demanding, technical struggle. Add IT security to that, and there's a whole new layer of complexity.
Before you sign the cheque and throw out your firewall and IPS/IDS boxes, take a close look under the hood of outsourcing, the trends behind it and the issues that come with outsourcing IT security.
Cost savings are often touted as a key driver towards outsourcing, and many of the benefits are indeed financial.
By default, outsourcing security functionality such as email scanning or web fi ltering will save many highly skilled, specialised and expensive man-hours inhouse.
Additionally, staff freed of a potentially time consuming, tedious task can then focus on business priorities, something extremely hard to service externally.
Player Pate, managed securityservices marketing manager, IBM Internet Security Systems, says: "It's important that a business fi rst understands why it is seeking to outsource a particular function.
This allows an assessment of the business case, and an analysis of the objectives that the solution needs to be in line with.
"One common issue is that of expertise. IT security is an increasingly complex fi eld, and many businesses have realised they simply don't have the expertise in-house to deal with it. Most IT departments will see some kind of manpower saving if they outsource certain IT security functions, for example," he says.
Choosing to pass on some of this caseload and specialist ability to a managed security service provider - MSSP - is an increasingly common step.
The option to buy a "clean pipe" from an ISP has been in demand for some years, and is a growing, viable service, especially to combat the inexorable rise in spam, which now accounts for 96.5 percent of all business email, according to IT security software specialists Sophos.
Also, web malware is recording almost exponential year-on-year growth, making in-house tracking a nearimpossible task.
Graham Jones, UK managing director of Integralis, agrees: "Keeping up with the sheer throughput of online threats and email malware is a giant task, and encourages many to seek expert help.
"It's definitely an area of increasing maturity though - email security is now easy, web filtering is now done, too, although a few years ago this wasn't true. I anticipate we'll see fi rewalls go next, probably mid-to late next year.
"They're beginning to become a commodity that just needs to be there, there's not a massive amount of difference between the top players. IPS and IDS management will go the same way eventually, due to the sheer volume of false alerts that they generate.
"In some cases we'll also see two-factor ID management outsourced also - small law firms, for example, that need the technology but don't have the inhouse expertise or time to manage this themselves."
Compliance has been a huge driver for outsourcing. As regulations tighten in almost every sector, the specific compliance items on every CISO's list has grown exponentially.
"Another key problem with the outsourcing industry is that most companies don't know what to ask for in their security contact. Some are just impossible; some so easy they're a joke.
"A lot of the time I think good security offi cers are not being tough enough - they should not be afraid to ask for more. Don't be afraid to base your contract on ISO 27000.
"If your provider is competent then he'll be familiar with these provisions and will already have the process in place. If he doesn't, then you know you're in trouble," adds Knecht.
Enforcing the contract with your MSSP is down to SLAs. Pate believes measurement is key. "You want to ask your MSSP how they are measuring your SLAs. How can you check to make sure they are being enforced?
"You also want to ask about performance-based metrics. Most MSSPs only provide SLAs for device monitoring and security event response times, not around protection. You want to be sure your MSSP can provide SLAs around the protection of your network infrastructure."
The grey area of metrics is key here - gathering various feeds from monitoring devices and displaying them in a dashboard interface is a common feature, but what exactly is it telling you, and does this really refl ect your business risk analysis? Kumar has seen this before.
"The effective dashboard is the Holy Grail here, and about as obtainable. The issue of what to display on it is still open for debate - there can be very differing emphasis on risk in different organisations. Probably 70 percent of the metrics are comm on, another 15 percent are related to vertical sectors, but the final 15 percent depend on the individual business - one size does not fi t all."
While the SLAs in place will provide the enforcement, it's vital the original contract is correctly worded and researched. Although due diligence requires various questions regarding process are asked, many fail to follow up on the answers, according to Knecht.
"A lot of people in my experience go about this process in a very digital way - they ask the right questions, and the MSSP ticks the boxes: yes, yes, yes.
"However, I believe the real solution is to use a much more analogue method - nothing here is black or white, it's all about shades of grey. The trouble is, a lot of contract questionnaires are very formulaic, and don't allow either what they're talking about."
Although increasingly popular, outsourcing is far from a silver bullet for CISOs. "Of course, it doesn't always make sense to utsource. Some functions are simply not cost effective - desktop AV is a good example here," explains Pate.
The future certainly looks bright for the MSSPs, especially as other alternatives to in-house ownership, such as SaaS (Software as a Service), gain traction.
"Outsourcing will become increasingly important to businesses of all sizes," says Jones.
"It's maturing rapidly. Sixteen months ago it would have been seen as highly risky to outsource fi rewall functionality, but now it's much more accepted.
"I certainly see much more compliance-related measurement going on in the cloud, as well as full-featured compliance suites and risk dashboards becoming more common."
As each security technology matures and becomes de rigueur, the advantages of outsourcing it to a reliable MSSP seem clear.
Cost savings can be made, but will prove extremely expensive if data security is compromised. The rise of the MSSP is set to be steady, but certain.
Source: SC Magazine UK
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
