Enterprises take a fresh look at outsourced security services

There was a time, not so long ago, that enterprises viewed the words “security” and “outsourcing” as mutually exclusive. The conventional wisdom was that opening up the security kimono to a third party would likely heighten the risk of breach, rather than lowering it.

Recently, however, enterprises have begun to reject that old wisdom and embrace the idea of third-party security services. Last month, financial services giant Merrill Lynch announced a global, multiyear contract for managed security services from VeriSign, a company better known for its security infrastructure.

Although terms of the contract were not disclosed, industry reports indicate that VeriSign will manage some 300 of Merrill Lynch’s firewalls and intrusion detection devices. VeriSign staff will not only track and manage these devices, but will provide expertise to help Merrill Lynch build out its security infrastructure, according to the two companies.

Officials at Merrill Lynch said they chose to outsource the security management tasks because of VeriSign’s skill in identifying potential security vulnerabilities through event correlation and the monitoring of network activity patterns. Having worked with many clients on infrastructure construction and monitoring, VeriSign is in a better position to detect and repel attacks than internal Merrill Lynch staffers working alone, they said.

Merrill Lynch is far from being the only enterprise to reach that conclusion. In fact, recent figures from Gartner Group indicate that security is the fastest growing segment of the IT services market. The research firm predicts that the managed security services market alone will increase from $547.8 million in 2002 to more than $1.2 billion in 2006, a growth rate of nearly 20%.

This highly pronounced demand for managed services could open up new doors for companies such as VeriSign, which currently makes most of its revenue by providing secure infrastructure services for online business. Much as telecommunications providers used their own knowledge of infrastructure development and management to build managed networking services, vendors such as VeriSign may be able to leverage their knowledge about security to deliver outsourced security services.

Security is one of the few areas of IT administration for which there is very little shared industry knowledge. Enterprises generally are unwilling to discuss security experiences and practices with peers or analysts, for fear that their mistakes will be publicized and their organizations viewed as insecure. It’s probably easier to get an inside stock tip from an enterprise than to find out about its security breaches.

As a result of this secrecy, there is very little sharing of security vulnerability knowledge among enterprises, and even less in the way of best practices. While IT administrators gain benefits every day from industry guidelines for service level management or desktop administration, they generally have no such guidelines for security.

That’s where a third party security service can help. A security outsourcing company works with many different enterprise clients, gaining experience with each one and developing best practices for handling problems that are common to all of them. A company like VeriSign has already experienced most of the problems an enterprise might face in building a security infrastructure, and most of the intrusion techniques used by hackers.

This sort of broad industry experience is hard for enterprises to find internally, and it can be costly to maintain. Look for enterprises to give greater consideration to security outsourcing services in the near future – and for conventional wisdom about third-party security services to shift in a new direction.