Outsourcing security is a touchy subject for CIOs. Surveys indicate that more than 50 per cent of CIOs say they will never do it.
The most frequent reason given is that it’s too risky to trust a third party with information security. Unscrupulous behaviour on the part of outsourcer’s employees could have devastating consequences. In this view, outsourcing security is indeed an oxymoron. But is your risk really any lower with your own company employees?
Outsourcers promise the security service will be better than companies can get insourcing. However, CIOs are nervous about the expertise and turnover among the outsourcer’s security management staff. But can you reduce these problems with company IT staff?
Outsourcers insist using them will be cheaper than doing security inhouse. CIOs are skeptical, based on some examples of unhappy cost experiences with outsourcing other IT functions.
But haven’t we learned how to manage outsourcing better?
Hiding from security management issues, hoping they will blow over, is unlikely to be a CIO’s best response as security threats and response complexity continue to grow.
Here’s the case for outsourcing security management to a managed security service provider (MSSP) with responses to the usual challenges to outsourcing.
How does a CIO know that the risks associated with working with a MSSP are really lower than the risks associated with an in-house solution?
Implosions of MSSPs such as Pilot and Salinas Network Services, as well as on-going industry consolidation such as the VeriSign acquisition of Guardent, have heightened the CIO’s sense of vendor risk.
First, the risk associated with MSSP upheaval can be largely mitigated by a carefully executed vendor selection process. Can your hiring and management processes similarly lower the risks for an in-house solution?
Second, despite all the attention given to external hacker attacks, up to 80 per cent of attacks and data compromises occur inside the network. Can your in-house staff respond to internal attacks better than the MSSP staff?
Third, some of the MSSP risk is related to experienced staff reallocation to other clients and to staff turnover. Are your staff turnover risks with in-house staff any lower?
How does a CIO know that the benefits associated with working with an MSSP are really higher than the benefits associated with an in-house solution?
CIOs wonder about immediate access to talent in a crunch. The MSSP staff is typically located offshore, perhaps as far away as India. The in-house staff is just down the hall; they should be able to provide better service.
First, the variety of functions associated with security management keeps growing. Once companies did little more than reset passwords, monitor firewalls, delete e-mail spam and zap viruses and worms. Now spyware, more sophisticated hacking, intrusion detection and prevention, phishing, Web scams, identity management, compliance reporting and patch management need increasing amounts of attention. Can your in-house staff meet these demands?
Second, attacks against a single company don’t happen often enough to keep a team of this caliber focused, engaged and challenged. Boredom will undermine morale. Can you keep your in-house staff sharp between attacks?
Third, MSSP staff gain more experience than in-house staff through their encounters with many security problems among their other clients.
How does a CIO know that the costs associated with working with an MSSP are really lower than the costs associated with an in-house solution?
CIOs worry that signing a contract with an MSSP may result in cheques being used to pay for big bonuses and fancy perks for various executives or for flying a lot of high-priced help around among your various facilities.
First, in-house staffing for security expertise 24 hours a day, 365 days a year, requires five full-time employees plus supervisors and backup personnel. Even if your company is prepared to budget for all of these people, could you find them in today’s job market?
Second, retaining this skilled staff would be even harder. Security monitoring is inherently erratic. A typical pattern is weeks of boredom followed by hours of panic. Boredom will create restlessness. Can you keep your team from being picked off by head-hunters?
Third, security management requires an investment in computing infrastructure. MSSPs can amortize some of these costs across all their clients.
A CIO may be tempted to keep security management inhouse as a way of keeping the head count in the IT domain higher and maintaining his or her sense of self-importance.
Counteracting a shrinking IT domain through insourcing could be a move that will haunt the CIO in the aftermath of the first security breach.
An MSSP also adds value by being a convenient target for any blame. (Never mind that poor management of the outsourcing relationship contributed to the security breach.)
Despite concerns about trust and memories of other outsourcing deals gone bad, CIOs will outsource more security management functions in the future. The shortcomings and costs associated with operating in-house security management preclude it as a viable alternative.