The most frequent reason given is that it’s too risky to trust a third party with information security. Unscrupulous behavior on the part of outsourcer employees could have devastating consequences. In this view, outsourcing security is indeed an oxymoron. But is your risk really any lower with employees?Outsourcers promise their security services will be better than those available in-house. However, CIOs will be nervous about the expertise and turnover among the outsourcer’s security management staff. But can you reduce these problems with company IT staff?
Outsourcers insist their security services will be less expensive. However, CIOs will be skeptical based on examples of unhappy cost experiences with outsourcing other IT functions. But haven’t we learned how to manage outsourcing better?
Here’s the case for outsourcing security management to a managed security service provider (MSSP) with responses to the usual challenges to outsourcing.
Risks
How does a CIO know that the risks associated with working with a MSSP are really lower than the risks associated with an in-house solution?
Implosions of MSSPs like Pilot and Salinas Network Services as well as recent acquisitions have heightened the CIO’s sense of vendor risk.
First, the risk associated with MSSP upheaval can be largely mitigated by a carefully executed vendor selection process. Can your hiring and management processes similarly lower the risks for an in-house solution?
Second, despite all the attention given to external hacker attacks, up to 80 per cent of attacks and data leaks occur inside the network. Can your in-house staff respond to internal attacks better than the MSSP staff?
Third, some of the MSSP risk is related to experienced staff reallocation to other clients and to staff turnover. Are your staff turnover risks with in-house staff any lower?
Service Quality
How does a CIO know that the benefits associated with working with an MSSP are really higher than the benefits associated with an in-house solution?
First, the variety of functions associated with security management keeps growing. Once companies did little more than reset passwords, monitor firewalls, delete e-mail spam and zap viruses and worms. Now spyware, more sophisticated hacking, intrusion detection and prevention, phishing, web scams, identity management, compliance reporting and patch management need increasing amounts of attention. Can your in-house staff rise to meet these demands?
Second, attacks against a single company don’t happen often enough to keep a team of this caliber focused, engaged and challenged. MSSP staff gain more experience than in-house staff through their encounters with many security problems among their many clients. How can you provide your in-house staff with the experience they need?
Cost
How does a CIO know that the costs associated with working with an MSSP are really lower than the costs associated with an in-house solution?
CIOs worry that contracting with an MSSP may result in cheques paying for big bonuses and fancy perks for various executives or for travel.
However, in-house staffing for security expertise 24 hours a day, 365 days a year, requires five full-time employees plus supervisors and backup personnel. Even if your company can afford these people, could you find and retain them in today’s job market?
Security monitoring is inherently erratic.
Security management requires an investment in computing infrastructure, software and telecom capacity. MSSPs can amortize some of these costs across all their clients. Can you justify these costs solely for your company?
A CIO may be tempted to keep security management in-house as a way of keeping the head count in the IT domain higher and maintaining his or her sense of self-importance. Counteracting a shrinking IT domain through insourcing could be a move that will haunt the CIO in the aftermath of the first security breach. An MSSP also adds value by being a convenient target for any blame.
Conclusions
Despite concerns about trust and memories of other outsourcing deals gone bad, CIOs will outsource more security management functions in the future. The shortcomings and costs associated with operating in-house security management preclude it as a viable alternative.