What CIOs Need to Know About Outsourcing IT Security
Share This -
Friday, 24 July 2009
By Laton McCarttney
Two years ago when the Computer Security Institute (CSI) did a survey about outsourcing IT security, some 61 percent of the respondents said they wouldn't let outsourcers anywhere near their security infrastructure.
Today, however, while many IT managers still seem reluctant to hand such an important function over to outsiders not familiar with their organizations' inner workings, the resistance to farming out at least some IT security functions may be waning, "It makes sense today to outsource what are commodity security activities like monitoring firewalls," Jonathan Gossels, president and CEO of SystemExperts, a security and compliance company, tells CIOZone. "These are activities that require 24/7 staffing at fairly low levels. You can usually generate savings by outsourcing here."
"Outsourcing at least a portion of an organization's IT security operations increasingly makes sense in our online real-time malware-infested business environment," states a recent report, Use of IT Security Outsourcing Low But Rising as Threats Grow, from Computer Economics, which provides metrics for IT management."Security threats are expanding at every level. The Conficker worm made evident the insidious menace represented by botnets. Spam may not be growing at its previous torrid pace, but still claims a very high percentage of overall email traffic - 97%, according to Microsoft's most recent survey. Data security is a particular concern: The number of data breaches last year increased 47% from the year earlier, according to the Identity Theft Resource Center. Even information warfare and cybersabotage, so much science fiction fodder just a few years ago, seem like very real possibilities these days."
A shortage of good talent and the funds to pay for it is also causing an uptick in this arena, the Computer Economic report asserts. "Even if companies were hiring IT workers, which many of them are not, security expertise is a scarce and valuable commodity. This is why outsourcing security, or at least some portion of your security operations or functions, may make sense. As is true with many other areas of IT operations, security is both a strategic and tactical effort, and outsourcing can be an efficient way to lower the costs of tactical functions and boost the effectiveness of strategic operations."
Any organization outsourcing IT security functions, however, should proceed with the outmost caution, security experts say. Here are some key pointers:
For starters, begin incrementally. "Roll it out slowly," says Daniel Wallace, a Detroit-based information security consultant. "Begin with a single service such as spam filtering and see how the outsourcer handles it. If you're satisfied, then you can add other services like network monitoring and intrusion detection down the road."
Even if the outsourcer meets or exceeds your expectations, stay clear of outsourcing any activity that's critical to policy development, or that has a critical impact on your business, says Gossels. Those are the company jewels and their too valuable to trust to strangers.
CIOs should engage the company's chief security officer (CSO) or chief information security officer (CISO) from the get go in any attempt to outsource security. "They should be a key part of the decision," Wallace notes.
Remember that no matter what the outsourcing sales people claim, you're not always going to save money by going this route, Wallace maintains. "And make sure you sharpen your pencil in dealing with the charges involved and get your arms around you costs - what it costs you to manage a firewall as opposed to what the outsourcer is going to charge," he says.
Realistically, he adds, you can expect to run into problems with outsourcers all the times. "I'm not saying there's fraud but service level break downs, hidden costs and support that's fail to reach that levels that were promised are common."
Stick with the name brands. That great deal being offered by an outsourcer you've never heard off in a far away land - forget about it.
Finally, remember what is perhaps the cardinal rule of outsourcing, one that's especially relevant with security: You can't drop the responsibility for regulatory compliance or the safeguarding of personal or proprietary information in someone else's lap. Those are your babies.
Only registered users can write comments. Please login or register.