Outsourcing security is a touchy subject for CIOs. Surveys indicate that over 50 per cent of CIOs say they will never outsource security. The most frequent reason given is that it’s too risky to trust a third party with information security. Unscrupulous behaviour on the part of outsourcer employees could have devastating consequences. But is your risk really any lower with company employees?Outsourcers promise the security service they provide will be better than the service you would get in-house. However, CIOs are nervous about the expertise and turnover among the outsourcer’s security management staff. But can you reduce these problems with company IT staff?
Outsourcers insist their security service will be cheaper than insourcing it. However, CIOs will be skeptical based on examples of unhappy cost experiences with outsourcing other IT functions. But haven’t we learned how to manage outsourcing better?
Now what? Hiding from the security management issue, hoping that it will blow over, is unlikely to be a CIO’s best response as security threats and response complexities continue to grow.
Here’s the case for outsourcing security management to a managed security service provider (MSSP) with responses to the usual challenges to outsourcing.
RISKS: How does a CIO know that the risks associated with working with an MSSP are really lower than the risks associated with an in-house solution?
Implosions of MSSPs like Pilot and Salinas Network Services, as well as on-going industry consolidation such as the VeriSign acquisition of Guardent, have heightened the CIO’s sense of vendor risk.
First, the risk associated with MSSP upheaval can be largely mitigated by a carefully executed vendor selection process. Can your hiring and management processes similarly lower the risks for an in-house solution?
Second, despite all the attention given to external hacker attacks, up to 80 per cent of attacks and data compromises occur inside the network. Can your in-house staff respond to internal attacks better than the MSSP staff?
SERVICE QUALITY: How does a CIO know that the benefits associated with working with an MSSP are really higher than the benefits associated with an in-house solution? CIOs wonder about immediate access to talent in a crunch. The MSSP staff is typically located far away; perhaps as far away as India. The in-house staff is just down the hall. They should be able to provide better service.
First, the variety of functions associated with security management keeps growing. Companies used to do little more than reset passwords, monitor firewalls, delete e-mail spam and zap viruses and worms. Now spyware, more sophisticated hacking, intrusion detection and prevention, phishing, Web scams, identity management, compliance reporting and patch management need increasing amounts of attention.
Second, attacks against a single company don’t happen often enough to keep a team of this caliber focused, engaged and challenged. Boredom will undermine morale. Can you keep your in-house staff sharp between attacks?
Third, MSSP staff gain more experience than in-house staff through their encounters with many security problems among their many clients. How can you provide your in-house staff with the experience they need?
COST: How does a CIO know that the costs associated with working with an MSSP are really lower than the costs associated with an in-house solution?
CIOs worry that contracting with an MSSP may result in cheques paying for big bonuses and fancy perks for various executives or for flying a lot of high-priced help around various facilities. First, in-house staffing for security expertise 24 hours a day, 365 days a year, requires five full-time employees plus supervisors and backup personnel. Even if your company is prepared to budget for all of these people, could you find them in today’s job market?
Second, retaining this skilled staff would be even harder. Security monitoring is inherently erratic. A typical pattern is weeks of boredom followed by hours of panic. Boredom will create restlessness. Can you keep your team from being picked off by head-hunters?
Despite concerns about trust and memories of other outsourcing deals gone bad, CIOs will outsource more security management functions in the future. The shortcomings and costs associated with operating in-house security management preclude it as a viable alternative.