• United States



by Senior Editor

In Security Outsourcers We Trust

Oct 01, 20104 mins
Application SecurityCloud SecurityData and Information Security

The push to shrink security staff means more companies are outsourcing security functions to MSSPs, according to this year's Global Information Security Survey.

IT and business leaders acknowledge they don’t have the staff or expertise to secure their data internally — at least not without help from outside experts. If you work for a managed security service provider (MSSP), that’s good news.

That’s one of the takeaways from the Eighth Annual Global Information Security Survey CSO conducted along with sister publication CIO and PriceWaterhouseCoopers. Some 12,847 business and technology executives from around the world took the survey.

Part 2 of this series: Cloud security still a struggle for many companies, survey finds

Part 1 of this series: Business partners a growing security concern

More than half (52 percent) of survey respondents said that outsourcers, also known as managed security service providers (MSSPs), are important or very important to accomplishing their security objectives. Another 19 percent said outsourcers play some role. Meanwhile, more than 30 percent cited outsourcing of some or all security functions, such as e-mail filtering and management of application firewalls, as a top priority in the next 12 months, up from 18 percent a year ago.

While these numbers don’t represent a tidal wave of change since last year, Mark Lobel, a principal in the advisory services division of PricewaterhouseCoopers, says they do signal a shifting of the winds.

The greater interest in outsourcing “is an outcome of the cut in IT services,” he says. For example, companies are no longer as willing to pay someone in-house to monitor security operations overnight when a vendor can do it for less. “The cost of doing a bad job in-house is cheaper than what vendors will charge you, but the cost of doing security really well in-house is more expensive than what vendors will charge,” Lobel says.

Companies realize it’s better to put security in the hands of those who are immersed in it, says Warren Axelrod, a former CSO and author of the book “Outsourcing Information Security.”

“If you need surgery, you would rather go to a surgeon who does five of these procedures a day instead of one a month,” he said.

More than 30 percent of survey respondents are making outsourcing a priority so they can establish security safeguards that aren’t currently in place, including functions such as e-mail filtering and penetration testing. Meanwhile, 60 percent said they already outsource the secure disposal of technology hardware and 59 percent said they’ve delegated administration of password resets. In the areas of strategy and standards, 32 percent said they have outsiders helping them establish security baselines for external partners, suppliers and other IT vendors. Twenty-four percent outsource their centralized security information-management procedures.

Josh Jewett, senior vice president and CIO for Family Dollar, says his company has hired a variety of service providers to execute and audit portions of its security program. He declined to go into detail about which items he outsources and why, but he says the company bases such decisions on the following criteria: its own assessment of internal skills and resources, the relative cost of outsourcing versus keeping the work in house, the need for segregation of duties, and risk assessments.

With the IT security headcount flat for the last two years in his organization, Larry Bonfante, CIO of the United States Tennis Association (USTA), says he relies on MSSPs to handle such tasks as Web monitoring and filtering, e-mail scanning and storage surveillance. He expects to outsource additional security functions in the coming year, though he’s not ready to outline specifics.

Ken Pfeil, CSO for a large mutual fund company in the Boston area and formerly CSO for financial companies Capital IQ and Miradiant, says successful information-security outsourcing depends on CIOs understanding the vendor’s expertise. Failing to scrutinize a vendor’s specialties is an obvious, yet common, mistake. “Companies have to carefully review the specialty areas and also take the time to investigate the track record of a company they’re thinking of going with,” he says. Not every MSSP handles every type of security need. Just because a provider has a big name doesn’t mean it’s the best fit for your company, he cautions.

Once you do hire an outsourcer, it’s important to establish service-level agreements (SLAs) that define, for example, the number of incidents per month the MSSP needs to be able to spot and a game plan for dealing with these incidents. One provision Pfeil requires in any SLA is timetables dictating when the MSSP must notify the company of suspicious activity.

“We need to be notified within 10 minutes of this type of event, 4 hours for that kind of event,” Pfeil says. You also need meaningful penalties associated with failure to meet the deadlines, he adds. “If we see you not meeting agreements, I don’t pay my bill.”