How Badly Do You

By CIOinsight  |  Posted 09-05-2005

Outsourced Security: An Idea CIOs Loathe

As fears about outsourcing even the most critical elements of IT continue to abate, there is at least one responsibility many CIOs don't want to give up. "I don't know if I could ever reach a level of comfort to outsource security," says Gregory Coan, CIO of Textainer, a $370 million global manager of marine shipping containers with administrative headquarters in San Francisco.

Coan, like many of his colleagues, handles his own security and has no plans to change that approach.

"It's on me as the CIO to ensure that all the positive steps are taken to secure the data and our systems. While any IT endeavor must be driven by the business it supports, there is a philosophical issue here," he says.

Coan is not alone. According to this month's CIO Insight survey, only 14 percent of companies currently outsource security—and only 1 percent plan to within the next 12 months.

Furthermore, Forrester Research Inc. reports that 52 percent of companies wouldn't consider delegating even a single portion of security to an outside party.

There are many reasons why CIOs hesitate to join forces with security outsourcers, which offer everything from network management and vulnerability assessments to intrusion detection and firewall protection. Some of the fears are rational, some are not.

But perhaps the most powerful deterrent is the fear of losing control, suffering catastrophic losses, and winding up on the front page of the Wall Street Journal. "It takes a fair amount of courage to entrust your security to a third party," says C. Warren Axelrod, director of global information security at Pershing LLC, a Jersey City, N.J.–based clearinghouse for financial information, and author of Outsourcing Information Security (Artech House, 2004).

Despite the fears, outsourcing at least parts of your IT security infrastructure makes sense, especially for large companies. Outsourcers have a broader handle on the most recent worms and viruses sweeping the Web, and employ teams of security experts who can track how those threats move across the globe, giving them time to protect your systems before they can be affected.

They also generate detailed reports on how your security infrastructure is performing, which can make complying with the 2002 Sarbanes-Oxley Act and the 1996 Health Insurance Portability and Accountability Act easier. Of course, the cost savings always come in handy as well.

But outsourcing security will always be a leap of faith. Though vendors claim that outsourcing security is no different from handing over any other business process, security breaches generate something transaction processing errors rarely do: loads of bad press.

And no outsourcer will accept complete financial responsibility for a security mishap. All of which means that when you tiptoe down this road, be sure to bring your lawyer along and structure an airtight service-level agreement. Remember, it's only your career at stake.

Story Guide:

Security, Control, Savings; Pick any Two: Everything can be outsourced except, maybe, self protection.

  • Outsourcers can do things you never could; do you need those abilities?
  • Do "trust," "security," and "outsourcer" really go together?
  • On The Other Hand… …do you hire your own fire department? Here are the pros and cons of outsourcing security—you pays your money and you takes your choice.

    Next page: How Badly Do You Need a Pro?>

    How Badly Do You

    Need a Pro?">

    Perhaps the most widely touted benefit of outsourcing is the ability to harness the expertise of a reputable security provider that has global reach, ensuring that fewer attacks will slip through the cracks. "Our outsourcer can see global problems, which we couldn't see ourselves," says Eric Latalladi, CTO and vice president at brokerage firm J.B. Hanauer & Co., in Parsippany, N.J., which outsources much of its security infrastructure to Atlanta-based Internet Security Systems Inc.

    "If they see something happening in the Pacific Asia region, they can prepare us for it."

    Depending on how big they are, outsourcers can take a broad view of what's happening across the Web, which enables them to determine if an attack is an Internetwide event or a specific threat targeting your company alone.

    They can then act on your behalf within minutes. "That's very important because a specific attack is much more dangerous than a general virus," says John Pescatore, a vice president and research fellow at Gartner Inc.

    Latalladi agrees: A few months ago, ISS called at 3:30 a.m. to notify him that someone had tried to break into his company's systems. "It was a targeted attack from somewhere in Sweden," he says. ISS notified the Internet service provider of the attack's origin, and the ISP notified law enforcement.

    "It was all taken care of by the time they called me, which was about five minutes after the event," says Latalladi, who went back to sleep after receiving the call.

    As with any outsourcing arrangement, the real attraction here is cost savings. That's what convinced Ken Pfeil, who joined Capital IQ, a division of Standard & Poor's, as its chief security officer in 2003. The company, which offers financial information and analysis to more than 800 clients worldwide, was outsourcing a portion of its intrusion detection and firewall monitoring when Pfeil was hired.

    He wanted to make sure he couldn't deliver the same level of service with his own staff at a lower cost.

    So, he embarked on a months-long cost/benefit analysis and also compared numerous managed security services providers.

    The result: "Outsourcing clearly made better sense for us than hiring a team to do 24/7 security management," he says, adding that hiring his own team would have cost three times as much as his current deal with Amsterdam-based Getronics NV.

    Outsourcing is also a worthy consider-ation for firms that have to scale up or down quickly. In 2000, Calpine Corp., the $9.2 billion global power company based in San Jose, Calif., embarked on a growth spurt, breaking ground on more than 80 new power plants—as many as three new sites per month.

    "It was impossible to keep up with the demands," says Sean Curry, Calpine's infrastructure engineering manager who oversees much of the company's security strategy. Each site needed to be provisioned with wireless security devices, intrusion detection and remote VPN tunnels.

    After a six-month evaluation, the company chose Science Applications International Corp. to handle its firewalls, intrusion detection, enforcement of network policies and threat response.

    Knowing the growth will eventually taper off—60 percent of the new plants are now complete—Calpine structured its SLA so its outsourcer could add or remove staff as needed. "That would have been a big problem for us if we had kept the security in-house; we would have had to hire people and then let them go," Curry says.

    Story Guide:

    Security, Control, Savings; Pick any Two: Everything can be outsourced except, maybe, self protection.

  • Outsourcers can do things you never could; do you need those abilities?
  • Do "trust," "security," and "outsourcer" really go together?
  • On The Other Hand… …do you hire your own fire department? Here are the pros and cons of outsourcing security—you pays your money and you takes your choice.

    Next page: Trust is Important; Control is Indispensable.

    Trust is Important

    ; Control is Indispensable">

    Any vendor will tell you that trust is fundamental when it comes to outsourcing security. And even as they sell you on the notion of partnership, the truth is outsourcers have virtually no liability in the event of an actual breach.

    "They operate on a termite inspector's warranty," says Gartner's Pescatore. "If I inspect your house for termites and tell you there aren't any, but your house falls down a week from now, I'll refund my fee for the inspection." To engender trust, some outsourcing firms offer guarantees of up to $50,000 in the case that their customers get hit by certain viruses and attacks. But as we've seen recently, severe attacks can cost a company a much steeper price

    The trust issue is not lost on Hanauer's Latalladi, whose relationship with ISS began more than nine years ago, when he worked at General Motors Acceptance Corp. Latalladi built his relationship with ISS gradually, piece by piece.

    He brought ISS along when he moved to Hanauer six years ago, but he didn't hand over the keys to the kingdom right away: "I did small projects with them first, adding things slowly until I reached a trust level I was comfortable with."

    Now, ISS handles device monitoring, intrusion protection, policy development and even threat response for the firm.

    But trust can take you only so far. Though Latalladi is pleased with ISS, he admits that if his outsourcer failed him even once, he would take his business elsewhere.

    "This isn't kids' play, and they understand that," he says. "One oversight or omission could spell disaster; I would be forced to leave them."

    Pershing's Axelrod agrees: "There is an assumption that the more attacks you defend against, the better service you have. But it's actually how many you let through that's the most important. And anything other than zero is not good."

    Because of this, it's imperative to have a solid service-level agreement that is reviewed often and enforced whenever necessary. Be sure your SLA clearly indicates how the outsourcer handles employee background checks—some outsourcers employ "reformed" hackers, for example—a cause for concern.

    Find out how quickly they will notify you of a possible attack or respond to an intrusion (it should be no longer than 10 minutes) and how often they will perform system upgrades and install antivirus updates.

    And don't forget that no matter how dependent you may become on your outsourcer, security is still ultimately your own responsibility. It's your company that would suffer from a security breach, so it should be your people who make the decisions around policies and procedures.

    "Don't lose focus that this is a business relationship for the outsourcer," says Curry. "They are there to help their company succeed, not yours. In the end, you live and die by the terms you agree to up front."

    Story Guide:

    Security, Control, Savings; Pick any Two: Everything can be outsourced except, maybe, self protection.

  • Outsourcers can do things you never could; do you need those abilities?
  • Do "trust," "security," and "outsourcer" really go together?
  • On The Other Hand… …do you hire your own fire department? Here are the pros and cons of outsourcing security—you pays your money and you takes your choice.

    Next page: On The Other Hand...

    On The Other Hand

    ...">

    Despite the hesitation to outsource, analysts claim that companies will eventually join the fold and let third parties manage most—if not all—of their security functions. "In 20 years, everything will be outsourced. It will be like electricity," says Bruce Schneier, security expert and founder of Counterpane Internet Security Inc., a consulting firm that offers hosted security software.

    We've heard these claims before, however. In early 2003, Gartner estimated that by 2005, 60 percent of enterprises would have outsourced the monitoring of at least one network boundary security technology. But this, like so many other analyst predictions, has not proved prescient.

    "It hasn't grown at the rate the venture capitalists were hoping," admits Gartner's Pescatore.

    What outsourced security has going for it though is that security services are starting to be offered as part of a package from existing outsourcers.

    Even telecommunications providers are tacking on new security features to their services. These services free companies from the burden of maintaining their own equipment; rather, network traffic will be scrubbed of viruses, denial-of-service attacks, spam and other threats before they ever reach your firewall. And because the companies offering these services have many customers, "they will be most aware of what the threats are," says Axelrod. AT&T Corp., MCI Inc. and Sprint Corp. are beginning to offer such cleansing services.

    If the security outsourcing market ever does start to pick up momentum, it won't be the first time. "People outsource security all the time," notes Schneier. "We all use fire departments, we don't hire our own private police force or go around with shotguns dispensing our own justice. How much would it cost you to fully stock your own fire department? When you think about it like that, the economics start to make more sense."

    Security outsourcing: The Ins and Outs
    Advantage of outsourcing Disadvantage of outsourcing
    Information Security Infrastructure Even if the information security function is managed in-house, it is often beneficial for a third party to design, implement and/or validate implementation of the infrastructure. Third parties might over-engineer the solution and/or propose a solution that may be better suited to third-party implementation and management.
    Physical Security Generally an organization will find it more economical and less burdensome to use third-party guard services to secure a facility and check identities and authorized destinations (who they came to visit) of those wanting access. A significant amount of trust is put on these outside services, so that when there is a problem it can be doubly dangerous because the outsider has insider access.
    Operations Management Certain operational functions, such as payroll processing, are specialty commodity services and are generally outsourced by all but the very smallest or largest organizations. Loss of control is a considerable concern here, as is reduced flexibility.
    Protection Against Malicious Software Outside services generally have the size and scope to be able to provide a broader perspective. Also, they have an incentive to keep their antivirus signatures very current and to screen out a high proportion of spam and similarly unauthorized messages. If there are false positives, it may be more difficult to retrieve quarantined e-mails from outsourcer.
    Network Management There have been quite a number of highly visible, large-scale and successful outsourcing programs in which a third party is assigned full responsibility for managing large firms' networks. There are considerable savings and other benefits to be had, especially for 24/7 global networks. High dependency on an outsourcer for such a critical area might lead to significant problems were the provider to go out of business.