Taking the pain out of IT security

Mention outsourcing to a group of CIOs or IT managers and you risk opening yourself up to more opinions and allegiances than you’d find in a Glasgow pub during an Old Firm derby. For some IT managers, outsourcing of non-essential tasks to a third party supplier makes simple business sense; for others, the idea of handing over responsibility for any element of their department is a mark of failure.

For nearly a decade, those in favour of outsourcing have appeared to have the upper hand. Most large enterprises have outsourced part of their IT infrastructure to a third party supplier. Several recent, high profile cancellations of IT outsourcing agreements have prompted some quarters to herald the end of the industry, but the prospects for managed services still seem positive. Outsourcing has grown consistently over the past four years and the latest figures from the DTI indicate that 60 percent of large enterprises outsourced IT services to third party suppliers in 2006.

Yankee Group has stated that enterprises will outsource 90 percent of their security management by 2010. Even now, many companies claim to be unable to keep up with the latest threats and countermeasures without the support of a third party. But should firms be outsourcing IT security, given the important role it plays in protecting companies from downtime and theft of intellectual property?

IT as a cost centre

As large enterprises press on with cutting costs and increasing efficiencies throughout the business, IT departments are increasingly finding themselves under enormous pressure to show their worth, rather than their cost.

A recent survey of CIOs and IT executives, conducted by CapGemini, revealed that an average of 60 percent of the total IT budget is currently spent on operations, maintenance and support, with just five per cent devoted to strategy and planning. Consequently, though security remains a high priority for enterprises, the cost and complexity of managing the multiple facets of security is becoming an increasingly persuasive argument for outsourcing.

Take monitoring for example. Hackers and virus writers don’t tend to work on normal business hours, so staff must monitor the network 24/7. From a strategic point of view, employing a dedicated team of highly trained professionals to conduct routine tasks can seem about as sensible as having a fire engine in the basement, just in case there’s a fire.

Given that activities such as firewall monitoring and administering an intrusion detection system (IDS) require a high level of support, it is not unusual for a company to want to outsource such activities: they are not core functions of most organisations.

Internal complexities

Of course there’s nothing to stop enterprises implementing and managing detection and response services themselves to keep IT security as an internal function. In today’s business world, however, even safeguarding the integrity of the LAN can be a complex and expensive task.

According to some reports, as many as 80 percent of security breaches come as a direct result of actions by an insider. More than ever, employees are storing and accessing information through mobile devices, including PDAs, laptops, USB keys and even iPods, all of which need to be controlled and monitored carefully. Enterprises also need to monitor employee activity on the network, assigning and restricting access rights to resources according to the role and requirements of individual employees.

As internal threats to the network continue to evolve, businesses will require additional technologies to monitor employee activity. Network access control (NAC), for example, is hotly tipped to become the number one item on most IT managers’ shopping lists in 2007. However, for most IT managers who manage their security internally, NAC is another burden on already stretched resources.

Integration, a rich man’s game

The financial services industry leads all others in terms of integrating and updating information security on the LAN but, in this sector, security typically get a larger slice of the IT budget and tends to increase at a faster rate than in other sectors. Given the nature of the business and the ingrained security paranoia that permeates the financial sector, it is understandable that this is the case.

For most other sectors however, the reality is very different. Research from Quocirca indicates that 60 percent of enterprises still employ the ‘Hans Brinker’ approach to security – plugging gaps in security with individual products each time a new vulnerability appears. Consequently, IT departments are finding that they have to aggregate information manually using products bought from an assortment of vendors.

Outsourcing IT security to a specialist service provider can solve the problem of aggregating security events in one fell swoop. The sheer scale and level of investment made by managed services providers enables them to offer the necessary technology and expertise to cope with the ongoing threats of hackers and viruses, as well as to comply with data protection laws and regulatory issues.

The wild wild web

In spite of the potential benefits, handing over responsibility to a third party remains counter-intuitive to IT managers in certain enterprises, particularly when it comes to protecting the LAN. Given enough budget and resource, it is possible to implement and maintain a security infrastructure that will keep the LAN safe from most attacks.
But what about security outside the corporate network? Today, electronic communication through the internet is quite simply the norm in all areas of business. The lure of new markets, customers, revenue sources and business models means that companies are eager to participate and interact with their customers and suppliers through this medium.

Whilst the internet has undoubtedly revolutionised the way businesses operate, it’s fair to say it has brought with it a number of security challenges. Businesses are able to cope with most threats on the LAN, but most find it virtually impossible to mitigate against threats that originate beyond the perimeter. When it comes to providing security for the WAN, even financial services companies are beginning to see the value of outsourcing.

Responsible management

As organisations seek to understand the value they are getting from security spending, outsourcing security can provide a predictable model. Outsourcing security to a specialist service provider has the power to cut costs, reduce complexity and free up IT resource to concentrate on adding value at a more strategic level.

Different enterprises require different levels of support depending on their business needs. Consequently, while some enterprises trust almost all of their IT security to a third party supplier, others prefer to outsource specific functions, whilst keeping significant elements of their overall IT security in-house. This hybrid approach will become increasingly sought after in the coming years, as the complexity of IT security becomes too much to handle internally.

At its best, outsourcing IT security can help deliver the holistic level of security that all businesses should strive for. IT managers must however remember that the decision to outsource security must be founded in a desire to relieve a burden on overstretched resources and add an additional level of specialist expertise, without undermining the overall value full-time internal IT staff can bring to the business. The old adage that businesses should never outsource a problem is as relevant for IT security as for any outsourcing deal. IT managers should search out a partnership that enables them to move from a reactive to a proactive role, delivering tangible business benefits and achieving board-level recognition.