In my 25+ years in IT, I have seen the outsource/insource pendulum swing back and forth. One of the popular arguments in favor of outsourcing is that it can save an organization dollars in total cost of ownership. In my experience, that is not always the case. But now Forrester has completed a study that says outsourcing Security-as-a-Service could help a company save millions of dollars over a period of three years.
The Forrester study was commissioned by Alert Logic, a managed cloud security firm (full disclosure: I have consulted for Alert Logic, but had no involvement in this study). While the study is specific to Alert Logic solutions around log management, threat management, and web application firewall (WAF), it could just as easily be applied to any MSSP, Security-as-a-Service provider.
The study shows that over a three-year period, a customer (based on a composite of Alert Logic customers) would save $1.36 million dollars through Security-as-a-Service. I myself am always leery of these kinds of numbers from studies like this. But when you dig in, even on a back-of-a-napkin basis, it is probably about right.
Here are the assumptions it is based on:
The composite organization that Forrester synthesized is a business services firm with 12 locations around the globe. The organization operates two data centers that provide 24x7 IT services to its employees, partners, and customers. Its data centers are located in the EU and US. The organization has a number of web applications, including two customer-facing applications that provide sales and support functions. The IT team is lean, and the organization uses outsourced services for a variety of IT operations and functions. Over the past few years, the organization has developed new intellectual property (IP) that it needs to protect in addition to the confidential information of its customers.
Their security challenges were:
- Inability to keep pace with an ever-changing threat environment.
- Need for 24x7 security monitoring on a global basis.
- Inability to actively monitor and review the hundreds of log files produced by their servers and other hardware.
- Need to meet regulatory requirements like SOX and PCI.
- Challenges in recruiting and retaining skilled security engineers and analysts.
You can see all of the math by downloading the report. Bottom-lining it out, the biggest cost savings was in not having to hire full-time security staff and not having to buy traditional appliances and software licenses over the course of the three years. There were also savings from the effectiveness of the AL security team versus one that a customer would struggle to maintain.
As I said, this same analysis would be relevant to other MSSPs and Security-as-a-Service providers as well. However, in the Alert Logic case, there are parts of the security stack they don’t provide. In order to maintain that cost savings, would this composite customer have to outsource additional security to another provider? If not, would they be forced to hire security personnel anyway? And if so, could they not leverage them over the outsourced model?
One thing is clear – in an age where so much of our infrastructure is not 100% in our control, it makes more sense than ever to use managed security. Hiring qualified security staff in-house is extremely costly and difficult. If it is not core to your business, you are better off handing it over to a pro.