Is security ripe for outsourcing?

Security demands for online applications such as e-commerce and Web services are prompting more corporate customers to hand off security functions – such as intrusion detection and firewalls – to outside service providers.

Users are finding that third-party security service providers can also help augment an internal security strategy by preparing reports required by many new government regulations.

As a result, the trend toward outsourcing security functions, which peaked during the Internet boom, is slowly angling upward again as companies discover that handing off routine security activities enables them to focus internal security expertise in more critical areas. However, hurdles remain, and many companies still prefer to keep such sensitive IT functions in-house.

“As we’ve seen the economy pick up over the past six or eight months, we’ve seen companies turn to outsourcing because they want to use their security staff to address security needs for e-commerce and VPN and Web applications – the let-the-good-guys-in sort of stuff to connect with customers, partners and employees,” says Kelly Kavanagh, a principal analyst at Gartner.

“The routine monitoring and maintenance of firewalls and monitoring of [intrusion-detection system] traffic for alerts are things they’re finding have a great impact on their staff time and is something they can give to somebody who does that 24-7,” he says.

Since the beginning of the year, clients have had more questions about outsourcing security and more are on the brink of contracting with service providers, Kavanagh says, adding that “the question now is ‘who,’ not ‘whether’ or ‘if.'”

Still, analysts note that the move to outsource security functions is a slow one. One reason is that the so-called managed security service provider market continues to consolidate – Level 3 Communications acquired Genuity early last year, and VeriSign snapped up Guardent in February this year – leaving some enterprise customers wary about contracting with a firm that might not be around in a few months.

Gartner expects consolidation to continue as smaller players band together to compete with larger providers and those large firms seek to expand their security expertise through acquisition.

In addition, companies for a variety of reasons are still reluctant to hand off security functions to outside parties.

Willis Marti, associate director for networking for computing and information services at Texas A&M University in College Station, says increasingly complex security needs linked to proliferating viruses, patch management and other issues actually make him more likely to keep security in-house.

“The more complex the task, the more difficulty in structuring an agreement with an outside party,” say Marti, who oversees a network that connects more than 60,000 users. “Security has to be provided in the context of business operations. . . . There is almost no chance we’ll do any outsourcing of security functions. Part of the reason is a special expertise we have, part is because I’m not aware of any really successful outsourcing, and part is the close-to-unique nature of a major university.”

John Halamka, CIO of Harvard Medical School and CareGrou p Healthcare System in Boston, began outsourcing network security monitoring to Counterpane in 2001, but brought those functions back inside the organization last year.

“Because we’re a healthcare organization it was essential to develop a core competency in doing network security,” says Halamka, who estimates his network is attacked about every 7 seconds on average. “With [the Health Insurance Portability and Accountability Act], we wanted to have our own internal staff who could be extraordinarily vigilant and fleet of foot to respond to issues instantaneously and constantly advise how to improve our infrastructure to guard against ever-wily hackers.”

It was access to this type of advice that was part of the reason why financial publisher Bowne & Co. in New York outsourced its IDS monitoring to Internet Security Systems (ISS).

“We have a good mix of in-house expertise and good standard operating procedures and a service that has been reasonably priced and has given us access to additional expertise that has been quite helpful,” says Ruth Harenchar, Bowne’s CIO.

Last month, Credit Suisse in Zurich, Switzerland, announced that it was outsourcing security for the first time, entering into a three-year contract with Ubizen to monitor the bank’s IDS.

“Monitoring and administering an intrusion-detection system in a complex IT environment requires specialized know-how, which must be available 24-7 and continuously updated,” says Ralph Holbein, chief information security officer for Credit Suisse. “This is very challenging as well as costly and, obviously, not a core function of a financial institution.”

Holbein wouldn’t say how much Credit Suisse is saving by outsourcing its IDS monitoring, but says that having access to Ubizen’s expertise will “increase the quality and effectiveness of our security.” Savings come from being able to reallocate IT staff, eliminating the need to add IT staff as security needs increase, for example. 

That’s what EMI was looking for when it outsourced some of its security functions about a year and a half ago. The music giant in New York found that as its online business grew, so too did the demands on its internal IT staff.

“We had put firewall technologies in place and we were managing them ourselves, but we weren’t happy with the service level we were able to provide internally,” says Jim Russo, senior director of network services at EMI.

So the company turned its firewalls and related technology, such as intrusion detection, over to ISS.

“While we’re the largest pure music company globally and operate in 50 countries, we’re on a very thinly funded model,” Russo says. “The ability to run true 24-7 operations with rapid response to the changing Internet environment was more than we could budgetarily design. We had to look at partners.”

For Gene Fredriksen, vice president of information security for Raymond James Financial in St. Petersburg, Fla., the point of outsourcing IDS with VeriSign is to augment his internal security procedures. VeriSign handles some IDS monitoring for Raymond James, but IDS monitoring also is conducted internally.

“One of the things that is important for information security is to do external validations and expand the sphere of intelligence that you gather,” Fredriksen says. “If all your security functions are internal and you don’t have a metric for someone to look at you from the outside, you’re missing a big piece.”

Theresa Grant, director of information security at Dow Chemical Company in Midland, Mich., says the bottom line is that companies can expect benefits from outsourcing security because of the expertise they’ll gain access to, but that they have to be vigilant about how the service is delivered.

“Companies should . . . consider their decision to outsource security in terms of their organization’s overall outsourcing strategy, and determine if their internal audit organization has the tools or capacity necessary to manage the outsourcing relationship,” she says. “Companies can’t take for granted the importance of monitoring activity; provisions must be made to ensure that companies get the services they are paying for.”