Outsourcing security tasks brings controversy

Outsourcing security tasks brings controversy
Outsourcing security tasks brings controversy 

By Ellen Messmer
Network World 

When it comes to outsourcing security functions, skepticism still rules 
the day for many users. The idea of handing over control of network 
security to an outside firm paid to maintain gear, monitor for attacks, 
perform scans, collect logs or update security software for employees 
is, to say the least, controversial.

Security managers are split on the issue, arguing it's either a boon or 
bane for the company. According to advocates, outsourcing security gives 
in-house IT staff a chance to be freed up from mundane tasks to deal 
with more strategic matters without having to take on additional staff. 
The naysayers worry that outsourcing means losing sight of security 
risks because outsiders will mechanically follow a contract without 
thinking critically enough. Whether outsourcing is cost-effective is 
part of the debate, too, but the central question of control stirs the 
greater emotion.

Those bullish on security outsourcing say it's a way to move their 
in-house security specialists, already in short supply, into more 
strategic jobs while making sure everyday tasks get done.

"We either have to bring in more internal IT people or get other people 
through outsourcing security services," says Andre Gold, lead, IT risk 
management in the North American arm of ING, the Holland-based global 
financial services firm.

Gold says tasks such as patch and vulnerability management tasks or 
antivirus support are consuming a lot of staff time that might be better 
used in strategic risk-management operations for online business goals 
with partners and customers, for instance.

"I'd rather push the ING people up the ladder," Gold says, noting that 
next month ING expects to select at least one security outsourcing 
provider it may be offshore in India or elsewhere for large, multiyear 
contracts to handle a wide variety of data and network-security 
management remotely.

"I call it security right-sourcing," Gold says, adding that ING already 
outsources some IT maintenance and application development. 
Consequently, advocating security outsourcing was not a culture shock at 
the company. Gold says he expects security outsourcing to prove 
cost-effective over adding in-house staff, but he says in this case, 
it's not the primary motivator for doing it.

But security outsourcing still tends to elicit negative views.

"My bias is against it," says Jon Gossels, president of consultancy 
SystemExperts, which advises corporations on security strategy, with a 
focus on regulatory issues.

Gossels says he could see outsourcing a few "discrete functions," such 
as log monitoring or penetration testing. "But I've never seen 
large-scale outsourcing work well," Gossels cautions. "Security is a 
business enabler, and the decisions you make every day in your IT 
infrastructure impact the business. I don't see how you can do that in 
an outsourcing way." That appears to remain the dominant view.

A survey of 479 security professionals conducted by the Computer 
Security Institute late last year asked what percentage of computer 
security functions were outsourced in their organizations. Sixty-one 
percent of the respondents who hailed from industries as diverse as 
finance, transportation, retail, education, telecom as well as 
government answered "none" (see chart).

Only 5% had outsourced more than 60% of computer security functions, 
with 2% in the 81% to 100% range. The CSI survey concluded, "While 
there's certainly a market for outsourcing some kind of security tasks 
(security testing of customer-facing Web applications being one such 
example) where the specialized nature of the work and the ability to 
segregate the task for access to key enterprise assets make outsourcing 
more appealing, it doesn't appear that the appetite for such outsourcing 
is growing overall."

CSI, which conducts an annual security survey, said the results related 
to the question of outsourcing security haven't changed in the three 
years since they started asking it.

The skeptics

Kate Mullin, IT systems security manager for the Tampa International 
Airport, is skeptical about security outsourcing. There are a few 
functions outsourced by the airport, such as the IT systems backup. And 
there's a contract in place to call in support personnel if a situation 
called for that, she notes. But even though running an airport is a 
round-the-clock activity, it's the in-house engineering staff who are on 
duty for network-security monitoring and other tasks because "the 
decisions we make are based on the systems we use," Mullin says. "If 
there's a problem we have to react."

The airport recently bought a log and security-event monitoring system 
called LogRhythm for this purpose. She says she's skeptical outside 
personnel or equipment would be able to do the same security monitoring 
and response as effectively. But she's keeping an open mind about it.

"If I do anything, I'd 'co-source,'" Mullin says. Co-sourcing might mean 
half the time the security monitoring would be in-house, half of the 
time outsourced.

At the recent Infosec World Conference in Orlando, a number of security 
managers offered their opinions about security outsourcing.

"We used to spend multiple millions of dollars per year having our 
firewalls monitored," said Anish Bhimani, vice president of IT risk 
management at JPMorgan Chase, which has been shifting away from 
outsourcing security functions. "What does that get me?"

The firm has brought firewall monitoring, vulnerability assessment and 
other functions back in-house using purchased tools, which Bhimani said 
seems to be a less expensive route than outsourcing.

Derek Schatz, lead security architect with Boeing Commercial Airplanes, 
said security outsourcing wasn't a general practice at his company where 
the desire to technically verify things directly was very dominant. "You 
have to take into account the culture," he said.

"On a whole, I'd hesitate," said Mark Grimmelikhuijsen, senior IT 
security manager at Campbell Soup Company, on security outsourcing.

"You could end up in a situation where you watch the watcher," he said, 
noting security outsourcing ushers in new uncertainties, such as if 
there's a dispute, which party is liable.

Outsourcing for efficiency reasons "makes sense," said Kevin McCaffery, 
senior manager of IT security at Avaya, but added, "You can outsource 
the functions, but you can't outsource the oversight."

Oversight goes to the heart of any outsourcing arrangement, including 
security. The underlying outsourcing contract should ensure "you're 
allowed to audit them," said Kathy Kirk, director of information 
security at Prudential Financial.

The outsourcing provider has to demonstrate the ability to meet 
regulatory compliance goals. If your own organization has to meet 
requirements such as the Payment Card Industry's data-security rules, so 
will the outsourcing provider you use, she said. She noted it's 
necessary to have some means to monitor the activities the outsourcing 
provider is undertaking on your behalf.

Still, some companies say security outsourcing isn't something they've 
thought about because their internal staff seem able to manage security 
well enough on their own.

"We outsource a lot at our company but one thing I'd say we don't need 
to outsource is security," said Greg May, chief technology officer at 
Paradigm Investment, which owns and operates more than 90 Hardee's 
restaurants in the South.

All contents copyright 1995-2008 Network World, Inc

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods