Managed Security Services - Part I: The Benefits of Outsourcing Security
"The outsourcing of information security makes sense to organizations that have a highly developed concept of risk," says Prosenjeet Banerjee, VP and head of information security at HCL Technologies, an IT outsourcing firm based in India. More than half of its clients are financial institutions.
Financial institutions are being driven to ink managed security deals as they seek to restore their reputations for integrity, which have been sullied by disclosures of theft or loss of sensitive customer information, including credit card and Social Security numbers. In the most widely publicized case, some 40 million credit card accounts were exposed to theft last year due to a security breach at CardSystems Solutions, a processor of card payments.
If that weren't enough, there's the burden of laws and regulations that have financial institutions struggling to avoid being choked by red tape. The USA Patriot Act, under its know your customer rules, requires institutions to authenticate the identities of new customers and ensure that personal information is secure. The Sarbanes-Oxley law requires institutions to implement access controls to data and computer programs that contain sensitive information. And Basel II, the new regulatory capital regime that takes effect next year, requires that institutions monitor operational risks, including computer breaches.
The business case for outsourcing information security is a sound one, experts say. Managed security services is one of the fastest growing market segments in the security marketplace, according to Gartner, a research and IT consulting company. Gartner reports that as of 2005, 60 percent of enterprises were outsourcing the monitoring of at least one network boundary security technology. According to IDC, a division of the research and technology company International Data Group, as of 2004 security services were a $16.5 billion industry with a 35 percent compound annual growth rate.
In a a managed security deal, the organization shares information security risk and business risk, with the managed services provider. Such deals provide access to a range of security services and to skilled staff whose full-time job is security.
According to the CERT Coordination Center of Carnegie Mellon University, such services may include network boundary protection (including managed services for firewalls, intrusion detection systems, and virtual private networks); security monitoring; incident management (including emergency response and forensic analysis); vulnerability assessment and penetration testing; anti-virus and content filtering services; information security risk assessments; data archiving and restoration; and on-site consulting.
The cost of a managed security service is typically less than hiring in-house, full-time security experts. For example, a managed security provider can set up and monitor security on a 250-user network on a single T1 (1.5 Mbps) Internet gateway for about $75,000 a year, excluding hardware. Replicating these actions within the organization produces similar hardware costs, plus at least $240,000 in annual compensation to hire three full-time specialists.
A shortage of qualified information security personnel puts tremendous pressure on IT departments to recruit, train, compensate, and retain critical staff. The cost of in-house network security specialists can be prohibitive. In an outsourcing deal, the costs to hire, train, and retain highly skilled staff becomes the service provider's responsibility.
A managed security provider can offer an independent perspective on the security posture of an organization and help maintain a system of checks and balances with in-house personnel. It can thus provide an integrated, more coherent solution, thereby eliminating redundant effort, hardware, and software.
When an organization contracts for security monitoring services, the service can report near real-time results, 24 hours a day, 7 days a week, and 365 days a year. This is a large contrast with an in-house service that may only operate during normal business hours. Service security solutions and technologies such as firewalls, intrusion detection systems (IDSs), virtual private networks (VPNs), and vulnerability assessment tools are far more effective when they are managed and monitored by skilled security professionals. For example, when an intrusion is detected, service providers can use a remote monitoring connection to determine whether the alarm is justified and block further intruder actions. A managed service can protect the clientâ€™s network from unsecured VPN endpoints For products developed by the MSSP and used in their services, the client organization receives an enhanced level of product support.