Outsourced Security: An Idea CIOs Loathe - ' On The Other Hand' (
Page 4 of 4 )
...">
Despite the hesitation to outsource, analysts claim that companies will eventually join the fold and let third parties manage most—if not all—of their security functions. "In 20 years, everything will be outsourced. It will be like electricity," says Bruce Schneier, security expert and founder of Counterpane Internet Security Inc., a consulting firm that offers hosted security software.
We've heard these claims before, however. In early 2003, Gartner estimated that by 2005, 60 percent of enterprises would have outsourced the monitoring of at least one network boundary security technology. But this, like so many other analyst predictions, has not proved prescient.
"It hasn't grown at the rate the venture capitalists were hoping," admits Gartner's Pescatore.
What outsourced security has going for it though is that security services are starting to be offered as part of a package from existing outsourcers.
Even telecommunications providers are tacking on new security features to their services. These services free companies from the burden of maintaining their own equipment; rather, network traffic will be scrubbed of viruses, denial-of-service attacks, spam and other threats before they ever reach your firewall. And because the companies offering these services have many customers, "they will be most aware of what the threats are," says Axelrod. AT&T Corp., MCI Inc. and Sprint Corp. are beginning to offer such cleansing services.
If the security outsourcing market ever does start to pick up momentum, it won't be the first time. "People outsource security all the time," notes Schneier. "We all use fire departments, we don't hire our own private police force or go around with shotguns dispensing our own justice. How much would it cost you to fully stock your own fire department? When you think about it like that, the economics start to make more sense."
|
Advantage of outsourcing |
Disadvantage of outsourcing |
|
Information Security Infrastructure |
Even if the information security function is managed in-house, it is often beneficial for a third party to design, implement and/or validate implementation of the infrastructure. |
Third parties might over-engineer the solution and/or propose a solution that may be better suited to third-party implementation and management. |
|
Physical Security |
Generally an organization will find it more economical and less burdensome to use third-party guard services to secure a facility and check identities and authorized destinations (who they came to visit) of those wanting access. |
A significant amount of trust is put on these outside services, so that when there is a problem it can be doubly dangerous because the outsider has insider access. |
|
Operations Management |
Certain operational functions, such as payroll processing, are specialty commodity services and are generally outsourced by all but the very smallest or largest organizations. |
Loss of control is a considerable concern here, as is reduced flexibility. |
|
Protection Against Malicious Software |
Outside services generally have the size and scope to be able to provide a broader perspective. Also, they have an incentive to keep their antivirus signatures very current and to screen out a high proportion of spam and similarly unauthorized messages. |
If there are false positives, it may be more difficult to retrieve quarantined e-mails from outsourcer. |
|
Network Management |
There have been quite a number of highly visible, large-scale and successful outsourcing programs in which a third party is assigned full responsibility for managing large firms' networks. There are considerable savings and other benefits to be had, especially for 24/7 global networks. |
High dependency on an outsourcer for such a critical area might lead to significant problems were the provider to go out of business. |
(Sponsor)
(Sponsor)
(Sponsor)
