In-Depth

Best Practices: Five Tips for Managed Security Outsourcing

Yankee Group’s recommendations for getting the most from managed security outsourcing

• By Mathew Schwartz
• 10/15/2003

On the one hand, for any area not a “core competency” inside a business, outsourcing often spells cost savings. But can companies afford to give away the keys to their security operation?

Given the difficulty companies have maintaining network security, training personnel, and staying ahead of the vicious patch-or-perish cycle, many companies have outsourced at least some aspects of their security shop, though some industries (such as financial services) are in general notable exceptions.

It's no surprise, then, that managed security service has grown from $900 million in 2001 to $1.5 billion in 2002. The Yankee Group predicts sales will hit $2.6 billion by 2005.

Yet as with any relationship, there are dos and don’ts. To help get the most from managed security outsourcers, Yankee analyst Phebe Waterfield recommends five managed security best practices:

Don’t mix regular IT and security outsourcing with one company

“The Yankee Group recommends a separate vendor for security services to avoid conflicts of interest between security and customer service,” notes Waterfield, for the simple reason that companies need insurance—policies are one thing, but are they put into practice and enforced? Yankee notes that AT&T, EDS, and IBM offer security, as well as other services. Leaders of the security provider market include AMS, Equant, Guardent, Internet Security Systems (ISS), NetSec, Redsiren, Solutionary, Symantec, TruSecure, and Verisign.

Let your security policy lead the start of any new outsourcing engagement

Divide roles and responsibilities between in-house and outsourced staff, then peg a service level agreement for it all. “This groundwork forms the foundation of your managed services contract and ensures that both parties have clear expectations,” says Waterfield. Also don’t skimp on staff; they’ll be especially important during the transition to outsourcing. She says an inability to determine security staff ROI has driven dangerously low staffing levels at many organizations. Yet staff are mandatory to ensure managed service providers compliance with the contract.

Ensure that outsourcers enforce policies

Periodically re-verify that security providers are doing an adequate job. Outsourcing reduces security risks, yet “you, not the provider, are responsible for the consequences of a security breach, outage, information theft, or fraud,” she says. So reassess regularly.

Beware managed security service pitfalls

“Pay close attention to charges for services not covered in your contract and consider itemizing these in your IT budget,” says Waterfield. “Regularity and frequency of out of service charges are an indication that you need to renegotiate your contract.” Also keep an eye on project prioritization, and manage internal corporate culture during a transition to outsourcing. Some departments will want to go it alone, as it takes time to transition and new requests typically get delayed. However, solo operators directly impact managed security outsourcing ROI; thwart them.

Play to managed security services strengths

“Organizations unable to retain skilled security staff can focus on their core business by outsourcing core security services such as perimeter security assurance (including firewall, IDS, penetration testing, and secure Web or e-commerce services), virus scanning, and content inspection,” she says. In a word, these services are mature; ROI is well known. On the other hand, beware anything that has a difficult-to-demonstrate ROI. That includes most less-mature technologies, such as “secure remote access—IP VPNs, remote end-point or host security, secure messaging, managed authentication, and vulnerability management.” Other initiatives, including security event management and identity management, are also difficult to outsource, since they’re so tied to the vagaries of each individual company. Yankee says outsourcers haven’t truly yet tackled identity management.