Perhaps the most widely touted benefit of outsourcing is the ability to harness the expertise of a reputable security provider that has global reach, ensuring that fewer attacks will slip through the cracks. "Our outsourcer can see global problems, which we couldn't see ourselves," says Eric Latalladi, CTO and vice president at brokerage firm J.B. Hanauer & Co., in Parsippany, N.J., which outsources much of its security infrastructure to Atlanta-based Internet Security Systems Inc.
"If they see something happening in the Pacific Asia region, they can prepare us for it."
Depending on how big they are, outsourcers can take a broad view of what's happening across the Web, which enables them to determine if an attack is an Internetwide event or a specific threat targeting your company alone.
They can then act on your behalf within minutes. "That's very important because a specific attack is much more dangerous than a general virus," says John Pescatore, a vice president and research fellow at Gartner Inc.
Latalladi agrees: A few months ago, ISS called at 3:30 a.m. to notify him that someone had tried to break into his company's systems. "It was a targeted attack from somewhere in Sweden," he says. ISS notified the Internet service provider of the attack's origin, and the ISP notified law enforcement.
"It was all taken care of by the time they called me, which was about five minutes after the event," says Latalladi, who went back to sleep after receiving the call.
As with any outsourcing arrangement, the real attraction here is cost savings. That's what convinced Ken Pfeil, who joined Capital IQ, a division of Standard & Poor's, as its chief security officer in 2003. The company, which offers financial information and analysis to more than 800 clients worldwide, was outsourcing a portion of its intrusion detection and firewall monitoring when Pfeil was hired.
He wanted to make sure he couldn't deliver the same level of service with his own staff at a lower cost.
So, he embarked on a months-long cost/benefit analysis and also compared numerous managed security services providers.
The result: "Outsourcing clearly made better sense for us than hiring a team to do 24/7 security management," he says, adding that hiring his own team would have cost three times as much as his current deal with Amsterdam-based Getronics NV.
Outsourcing is also a worthy consider-ation for firms that have to scale up or down quickly. In 2000, Calpine Corp., the $9.2 billion global power company based in San Jose, Calif., embarked on a growth spurt, breaking ground on more than 80 new power plantsas many as three new sites per month.
"It was impossible to keep up with the demands," says Sean Curry, Calpine's infrastructure engineering manager who oversees much of the company's security strategy. Each site needed to be provisioned with wireless security devices, intrusion detection and remote VPN tunnels.
After a six-month evaluation, the company chose Science Applications International Corp. to handle its firewalls, intrusion detection, enforcement of network policies and threat response.
Knowing the growth will eventually taper off60 percent of the new plants are now completeCalpine structured its SLA so its outsourcer could add or remove staff as needed. "That would have been a big problem for us if we had kept the security in-house; we would have had to hire people and then let them go," Curry says.