Many in the IT industry still remember the early worldwide web days, when computer security was more about technology and less about risk management. In 1995, getting a web site online was a top priority, and engineers were left to buy the gadgets considered necessary for security.
As systems have become increasingly complex, technology more costly and risk levels higher and broader, many organizations are now considering outsourcing all their security needs to specialist service providers.
According to Allan Carey, program manager at IT analyst IDC, service offerings in the IT security marketplace currently fall into: consulting services; implementation; 24x7 management- monitoring; and employee education- training. The early adopters of IT security services were financial services, says Carey. Today, all areas of government, healthcare and manufacturing, particularly among medium-to-large businesses are turning to outsourcing, and IDC estimates that the market for information security in 2003 will be $5.3bn.
"The companies that provide security services have the skill sets to reduce operational costs, the internal costs of providing security," explains Carey. "Companies also hope to spread some liability to the service provider, especially those that have to comply with government regulations, like Sarbanes-Oxley and HIPAA."
Carey says it is important that companies considering outsourcing engage in due diligence by asking for references from customers in the same industry to be sure the provider understands their issues and can deliver what they promise.
Also important, he adds, is to make sure that the provider is financially viable and to read the fine print in the service agreements: "You have to understand the demarcation points of liability - what the service provider is liable for and at what point they will act on your behalf."
With research company Gartner's recent prediction that one in ten jobs at IT companies will be outsourced offshore by the end of 2004, the term "outsourcing" has become a controversial issue in the minds of many IT professionals. Here, four of them discuss the pros and cons.
Andrew Grilk, CTO of e-Revolution, a Memphis-based software development company specializing in real-time commerce systems, is philosophically opposed to the idea of outsourcing anything. Like many small software development companies hit by the economic downturn, Grilk was forced to lay off most of his original IT department, but is in the process of rebuilding now that the company is growing.
He's particularly concerned about the service that businesses receive from outsourcing. He says it's important for employees to feel tied to a company and to understand their particular industry. "Computers touch every industry out there," says Grilk. "It's a constant challenge to know every single industry and how to work with the pitfalls."
Grilk says he has worked at companies that have outsourced other aspects of IT work, in particular coding, but personally prefers to do it in-house. "When you have someone there putting in the effort, you can see how they work, reward them and avoid communication problems."
Trust is an important issue. Grilk says that he is concerned how some of the technology his company has developed might fall into the hands of competitors if he starts "opening the doors and showing other companies what's under the hood." However, he acknowledges that, if the company encountered a large security problem and did not have anyone with the necessary expertise, he might consider consulting a specialist. "We're enthusiastic about doing it ourselves," says Grilk. "But you can never limit yourself by being narrow-minded. We'll keep our options open and not totally discount outsourcing."
Paul Sears, senior infosec manager for the west coast division of pharmaceutical corporation Biogen Idec, is also philosophically opposed to outsourcing critical aspects of IT security. He is responsible for a wide range of information security issues for approximately 2,000 desktops and servers.
"We've built a top-down program, developing policies and user-awareness that gives everyone a controlled understanding about security," says Sears. "We haven't had any major problems - for users, security is part of their daily computer use."
Although he's aware of the potential cost benefits associated with not having to dedicate people to operating a service that does not show immediate value or return on investment, maintaining control over the high-risk elements of computer security is important to him.
"A previous company I worked for outsourced the management of its WAN connections," he recalls. "When Nimda or Code Red came along, we never had adequate response time to stop the worm's propagation and had to physically unplug the connections."
In talking to his counterparts at headquarters, Sears says he is concerned about the quality of service, especially because of the number of false positives the company has been getting from the service provider who handles their firewall and IDS alerts. "It's important to be diligent in describing the service level agreement (SLA) with the provider, how to respond in certain circumstances and how to handle alerts. Don't assume they can do a better job than you."
Another area of concern is the risk within the market space itself. Sears says he fears there's a potential for problems when an SP is bought out by one of the bigger players, and that this might affect existing non-disclosure agreements and put services at risk. "The field of independent, non-biased providers is shrinking," he asserts. "It's easy to get locked into a single provider environment."
Mike Johnson, network administrator for My Bank/First United Bank and Trust in Maryland, is also concerned about losing control. He says that he is troubled because outsourcing forces his company to play by the service provider's rules.
Johnson oversees some 500 desktops, two thin clients and around 75 servers for the bank, which has 24 branches throughout Maryland and West Virginia. As a member of the Federal Deposit Insurance Corporation, FDIC regulations and guidelines have been the driving factor behind outsourcing certain aspects of IT security. Johnson says the decision to outsource is based on the expert resources needed to keep on top of security issues. However, he is not thrilled with this situation.
At the moment, he says, the bank is considering the long-term prospect of taking its WAN management back in-house, although it has not proved cost-effective so far. "When you need to know something, like why the system is slow, you have to call and find out what's going on. By then, the problem has either passed, or reached critical level. Being in reactive mode doesn't reflect well on the department," he insists.
Johnson adds that, when choosing between service providers, they look at the companies' financial background, make sure they are stable, and then review the SLAs on paper. "It's important to know what to expect," he says. "Most companies live and die by their service agreements."
For special agent Bob Breeden, supervisor of the Computer Crime Division of the Florida Department of Law Enforcement (FDLE), being able to draw on the expertise of computer scientists throughout the world was a major factor in the decision to outsource security training and intelligence.
Breeden's team supports the Florida Infrastructure Protection Center, Florida's cybersecurity initiative that provides agencies, businesses and residents with an early cyber-risk alert and prevention and response capabilities.
"We asked ourselves how we were going to create an effective system with current staffing levels," says Breeden. "We recognized there are many different types of activities to understand and, rather than try to recreate that awareness, it would be better to contract with a company that already has ears throughout the world."
Breeden says that, as well as a wide breadth of information and resources, he also wanted a company that could show accuracy, timeliness and solid corporate relationships with other IT partners. The department decided to use TruSecure, which provides automated alert services, training for members of the computer incident response team, and has experts continuously on call.
Breeden says the experience has been a very positive one and that, depending on the issues, situation and budget constraints, he would consider outsourcing more in the future. "We have a good working relationship," he states.
Robert McMillon, product manager for intelligence products and managed services at TruSecure, remembers the early days, when there were a lot of trust issues around IT departments handing over the keys to the security kingdom. Today, he says, many companies are seeing the benefits of having experts in one place without having to invest in the huge operational costs of 24x7 monitoring. However, he is concerned about the "commoditization" of services as the bigger players move in and use managed security services as an add-on.
"The bigger players are pushing down pricing. They can afford to subsidize the cost through other lines of business and treat security like fries - as in, would you like fries with that?" says McMillon. A lot of the concerns raised over SLAs stems from the fact that the same language is used to mean different things, he adds. His advice to anyone considering outsourcing: be clear about what you want from the deal, then make sure the SLA is enforceable, includes some level of mediation, and that there is a way to verify or measure the level of service.