Information security has risen dramatically on corporate agendas since this time last year, fuelled by a combination of the terrorist activities of September 2001, the growing sophistication of malicious online attacks on businesses, and the increasing realization that unbroken network surveillance, instant intrusion detection and immediate response strategies are boardroom responsibilities.
However, despite increasing media attention and IT spending predictions (Dataquest anticipates that the worldwide security software market will rise 18 percent in 2002 to reach $4.3 billion), most of the coalface customer evidence seen by Ultima Business Solutions' security consultants so far this year suggests that more and more IT teams are in fact progressively failing in their duty to protect their organizations from attack. This is not as a result of willful negligence, but because of the huge logistical burdens associated with providing 24/7 network security cover.
Ultima believes the millstone of providing effective 24/7 security with in-house resources alone is one of the primary causes of business exposure today. Firewall policies and infrastructures, audit trails, rule bases and authentication procedures need to be continuously checked to remain watertight. Patches have to be devised and/or implemented as a priority. Detailed log analysis must be carried out to monitor traffic flow trends and search for malicious activity. Although most organizations recognize the importance of carrying out all these activities, the reality of trying to do so with just an internal IT team can be an uphill struggle.
Delivering optimum business protection at reasonable cost but without overloading the available in-house IT resource can be a double-edged sword - and that's why the take-up of managed security services is expected to boom over the next three years. Gartner Group has estimated outsourcing in Europe will grow at an annual rate of 14 percent until 2005. Meta Group predicts that global spending on managed service providers (MSPs) will reach £15 billion ($22 billion) by 2006. However, the decision to adopt a managed security service is not one that can be taken lightly. Before a third party is invited to manage such a business-critical process, serious consideration must be given to the kind of partnership desired, the security levels needed, the investment versus return expected, and the service level agreements (SLAs) required.
The Partnership Factor
If effective security is about ensuring that business risks are continually monitored and prioritized so that network vulnerabilities can be identified and treated before they start to impact on business productivity, then the communication channel between your internal and external teams will be a critical success factor if you decide to outsource. The best managed services relationships are those based on a foundation of mutual partnership, which adds tangible value to the security equation. As competition in the marketplace grows, the service providers who will succeed are those who base their customer relationships on trust, respect and understanding - and these are the ones that are worth seeking out.
A MSP relationship should never cause an organization to lose control of its security infrastructure or make it vulnerable to the third-party provider. The ideal outsourced collaboration will encourage the participating organization to retain overall control of its security infrastructure and critical decision-making, while ensuring that the MSP is given both the potential and the opportunity to provide strategic security advice and expertise. The MSP must become part of the business' extended team - and be trusted as such - if outsourced security management is to be a success. So, businesses should carefully assess the strength of the outsourced partnership and the expertise of the team they are outsourcing to before they commit.
While e-business infrastructures have paved the way for near-instantaneous trade on a global basis for even the smallest of operators, they have also increased many times over the number of security risks that organizations are subject to. Recent Ultima research found that the average company is subject to around 30 attempted security breaches every day. Of these attempted breaches, six to ten are serious security threats - a sobering thought for any organization not performing continuous security surveillance and for the many IT departments already forced to perform a delicate balancing act between available skills and resources and conflicting IT priorities.
In today's online world, operational risk must be viewed as seriously as financial risk. Assessing the level of business protection required to defend the integrity of business data, network infrastructures and the company's brand value, is an important step in deciding whether or not to outsource. The most effective way to kick start this process is for IT teams to spend time reviewing current audit trail data, carrying out detailed log analysis, and agreeing on the company's current vulnerability in relation to the impact of a potential malicious attack. This information can then be used to identify the level of security service required.
Investment versus Return
Today's e-business infrastructures tend to be heterogeneous and complex to manage. Businesses operate in dynamic environments so, from an IT perspective, change is the only constant. The relevance of any firewall policy can reduce in a number of days, unless it's clearly documented and then micro-monitored with detailed process checks. Providing around-the-clock security protection across multiple platforms and computing devices in-house usually means recruiting a team of IT specialists with up-to-date security knowledge and real-world networking experience. The cost of this level of internal resource will not come cheap.
Ultima estimates that true 24/7 security management for an average company requires a dedicated team of at least seven people. The salary bill for such a team, at least in the U.K., is likely to total £280,000 ($409,300) - and that's before training and holiday cover costs are included. A MSP on the other hand should be able to supply a fully qualified and experienced team of security consultants to manage a single firewall around-the-clock for about £20,000 ($29,000) per year. On a simple cost basis, it's easy to see why outsourcing is growing in popularity. However, the real value of outsourcing is in the return it delivers by freeing internal IT resources from day-to-day security administration, allowing them to concentrate on more strategic business and user support. Businesses considering the managed security services route should weigh up the benefits of outsourcing from a long-term resource and brand management point of view, not just in terms of the initial cost savings. This is where the real business advantages and the true board-level justifications will be found.
Few organizations still work in a 9 a.m. to 5 p.m. business culture. The growth in remote and mobile workers, international travel and global trade has placed increasing demands on the corporate networking environment, and 24/7 access to data and services has become an expected norm in all but the smallest businesses. Using a MSP to take the pain out of e-business infrastructure management can seem like the obvious choice. However, the outsourced service that a company receives from a MSP can only be as good as the performance parameters that are established at the beginning of the partnership. Getting these right at the outset is key to the success of the relationship.
A recent Ultima survey of more than 670 U.K. IT decision-makers revealed that many senior IT staff not currently outsourcing their security have serious concerns about MSP performance and standards of security management. The survey also uncovered fears that organizations would lose the ability to manage their security internally if they signed up a third-party provider. SLAs can go a long way towards overcoming worries about the impact of outsourcing and will help internal and external teams to work seamlessly together. Concise SLAs agreed at the start of the MSP partnership will not only get the relationship off on the right footing, they will also act as a guide for all future performance monitoring.
The MSP market is growing rapidly and it's probable that some consolidation will be seen over the coming years. Although it's uncertain that this consolidation will be on the same scale as that recently witnessed in the application service provider (ASP) market, any change is likely to trigger an increased focus on service quality. Businesses can realistically expect to see greater emphasis being placed on SLAs over the next 18 months and an increased focus on customer dialogue as MSPs develop more sophisticated reporting and review procedures. The smartest service providers are already starting to work more closely with vendors and suppliers to provide greater flexibility in the way services are priced and packaged. This is likely to continue.
Without doubt, outsourcing security management to a specialist provider can ease the burden on overstretched IT resources, ensure a company is equipped with the IT security expertise it requires, and deliver against strategic business objectives - but only if the process is properly managed and executed. Although businesses may be putting themselves at risk today by allowing audit trail, rule base and policy checks to lapse during busy periods, a MSP cannot be seen as a 'quick-fix.'
If outsourced security management looks like an appealing solution, then a best-of-breed MSP with a strong vision for service and performance delivery, in-depth security expertise and a real understanding of the importance of partnership, security, ROI and SLA requirements is a must. For organizations that decide to explore the managed security services route, taking time to find the right MSP relationship will be, quite simply, a great business investment.
Lisa Dargan is business development director responsible for managed services with e-business infrastructure and security specialist Ultima Business Solutions (www.ultimabusiness.com).