Outsourcing Security: Are You Ready?
BY Lora Shinn
Outsourcing is an attractive option for businesses that would rather not deal with a 3 a.m. DNS attack or a hacker defacing the website during non-business hours. But what are the benefits and costs?
Tired of receiving those 3 a.m. alerts on your BlackBerry? You're not alone. Interest in security outsourcing is booming, according to Kelly Kavanaugh, principle research analyst at Gartner, an IT advisory company. "We're hearing from those customers who are a little bit smaller, saying 'tell me about managed security services."
Kavanaugh says compliance also drives some of the curiosity. Small businesses are increasingly under the microscope of payment card industry (PCI) auditors and other examiners. Many firms are trying to comply with security requirements imposed from larger partners, but 'smaller businesses don't have staff to spare for watching consoles or waiting for alerts,' Kavanaugh notes.
But don't feel the need to outsource security, if you've never sought outside help before. "If you don't have the experience and processes to manage vendors and resolve disputes, don't learn it by outsourcing security," Kavanaugh warns. Security can feel particularly challenging, because the stakes are higher than with other sourced services.
If you are ready to take that next step, look before you leap into the contract -- measure the benefits and accept the limitations. Here's how:
When to outsource
"Anytime you need specialized skills," answers Stephen Northcutt, president of The SANS Technology Institute, a postgraduate security college. He adds that it's more cost-effective to outsource, because hiring the expertise necessary can be financially out of reach. Kavanaugh agrees, and notes that keeping security in-house requires specialized software, plus those spendy security admins.
Popular security services include penetration testing, forensics, intrusion detection, device maintenance (firewalls, VPNs, and routers), and log analysis. Many providers also serve as an e-gateway to the Web, preventing spam and viruses from taking a bite out of your bottom line.
"You can't outsource the responsibility for maintaining your security posture," warns Kavanaugh. "You're still the ultimate bearer of responsibility, to go and do something about each security incident." In other words, outsourcing IT security isn't a panacea. After being alerted to a suspicious incident or gaping hole in your software, you'll still need to find someone to fix it, or fix it yourself.
As outsiders, managed service providers lack the knowledge that you, as an owner, possess about your business. You might even face frequent phantom alarms. For example, Kavanaugh says a vendor might point out that someone's logging into the Exchange server at 4 a.m. on Mondays. But you know that's just Joe, who wakes up early every Monday morning. "You'll be taking those reports, reviewing them and closing tickets, because they're not issues," Kavanaugh says.
What to look for
Kavanaugh and Northcutt agree on checking out the credentials of operations staff. Certifications such as global information assurance certification (GIAC), and other security-related certifications are key, along with three to five years of experience. If they'll be running your firewalls and intrusion detection system (IDS), look for product certifications. Northcutt adds that if you're hiring for forensics, some states require a private investigator's license.
Finally, "make sure the service provider has good track record by talking to reference accounts that are like you, in terms of size and expectations," says Kavanaugh. Northcutt agrees. "You need to make sure who you outsource to is as good in their field as you are in yours.'