ZDNet UK / News and Analysis / Infrastructure / Servers

Security -- can you afford NOT to outsource it?

By Carl Weinschenk, TechRepublic, 31 March, 2003 16:30

Daily Newsletters

Sign up to ZDNet UK's daily newsletter.

Topics

Unisys, Outsourcing, Security

ANALYSIS
The arguments for outsourcing -- that it can be cheaper and provide access to superior, real-time service and specialised knowledge -- are especially inviting as demands from regulators, corporate management, and boards increase and specialists become scarcer, says Sunil Misra, the managing principal of the worldwide enterprise security practice for global network services at Unisys Corp. But can the outsourcers themselves be trusted? After all, it seems that the very idea -- giving control of an abstruse but absolutely mission-critical procedure to an outside group -- can be a recipe for trouble. Even after it's proven that the firm is honest, how can you ensure that it's providing optimum services to the client? Enterprises need not worry, provided they approach things in a sensible manner and do their homework. Here's what you need to know about outsourcing security safely. Do some checking The IT executive should so some footwork himself, says Kelly Kavanagh, a senior analyst with Gartner's information security strategy practice. "Go on site to make sure it's not a couple of guys with beepers in an office suite. If you can, get references." Kavanagh also says that IT execs should research the company's financial statements and ways of doing business. Such elements as its funding, its balance between managed services and consulting, and how it enhances off-the-shelf products can provide important clues as to how solid the company is. "Read publications discussing firms that do this kind of work," adds Andy Weiss, an IT worker for the government. "Talk to IT guys in security you trust. Research companies with the Better Business Bureau [US organisation that fields complaints about businesses -- in the UK, check Companies House]." Once it's reasonably certain that the security provider is essentially honest, the enterprise must ensure that it's getting the service it needs. Kavanagh says that this starts with a strong service-level agreement. "Take a hard look at the SLA they are offering," he says. "If you need to tear it up, tear it up. It really needs to reflect what you want out of the relationship." For instance, he says, if the number of firewalls stipulated is inadequate, or if turnaround time on a change is too slow, speak up. The enterprise should also insist on some insight into the process. For instance, you should have access to trouble tickets. Finally, Kavanagh says, the CIO should "trust, but verify." You can do this by scanning to ensure that everything promised is up and running. The enterprise itself can do this, or the CIO can retain an outside firm. As a very simple check, the enterprise can take a chance and disable a part of its security momentarily and see if the reaction of the outside firm is as advertised. "Occasionally, unplug the IDS sensor and start a stop watch to see how long it takes for them to call you and tell you it's off line," advises Kavanagh. Of course, enterprises shouldn't do this with equipment and services that provide primary security. Securer security At least one consultant says that outsourcing is inherently safer than in-house security -- even beyond the extra skills the outside company brings to the table. "One of the statistics often stated is that 80 percent of the security breaches are internal rather than external," says Ken Hilving, a consultant with Schooley Mitchell Telecom Consultants. "Moving IS/ICT security to an outsourcer is one way of dealing with the internal threat." Indeed, many internal security breaches have their roots in human interactions gone awry. "The social aspects of internal security threats are possibly mitigated with an outsourcer by the reduced social interaction with employees," Hilving says. A TechRepublic peer, who asks to be known by his user ID LordInfidel, noted that the wisdom of outsourcing security must be decided on a case-by-case basis. "I, for one, would not trust the security of my network in the hands of someone else," he says. "But then again, my team and I have built several layers of filtering and monitoring/alerting into our network. I would not hand that over to a third party." LordInfidel feels, however, that outsourcing may be appropriate for less-technically-adept enterprises. "But for larger organisations that have staff devoted to security or that have active monitoring in place, it's not worth it -- unless, of course, it is in addition to the current scheme," he says. "But a small company that does not have an experienced Net admin would benefit from this." The idea of separating the main function of the enterprise from the support function has historical roots in security procedures. "A large number of financial businesses outsource both site security and transportation security to companies that focus on these services, such as Brinks," Hilving says. "In the military, the physical security of a site and information security are two different organisations, typically separate from the units who are getting the benefit of the security. Security alarm systems have a long history of being outsourced as well." Assessing the assessments Many professionals accept the premise that security will be a mix of outsourced and in-house expertise. What isn't as well understood is precisely how to draw the line between the two, says Trey Guerin, the chief strategist and founder of Network Security Consulting. "The organisation needs to develop capabilities in-house to determine [what should be kept in-house and what should be outsourced] on their own. They need an information source or a program that is architected in such a manner to help them derive those answers." Security elements that should be kept in-house and those that should be outsourced shift over time. The enterprise should be able to answer some key questions at any given moment, Guerin says. These questions include: What is the risk tolerance of the organisation? What are the budgetary constraints? What are the current capabilities? What are the operational capabilities? In the final analysis, a mixed bag is virtually certain. "For most organisations, the best balance between [the] level of security and the level of spending will be a mix of both in-house and outsourced security capabilities," Misra says. "Certain items, such as security policy, should always be controlled in-house, even though you might have an outside consultant help create the policy."
For a weekly round-up of the enterprise IT news, sign up for the Enterprise newsletter. Tell us what you think in the Enterprise Mailroom.

Related stories

Pros and cons of outsourcing email

Do you outsource your snooping?

Is it boom time for IT security?

Dell plugs enterprise tools into entry-level PowerEdges

Fujitsu: Cheap servers can't fit all cloud roles

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

Get ZDNet UK's daily newsletter

Enter your email address to sign up

ZDNet UK Live

dede0202

Hello ALL USERS OF THE PIRATE BAY I WOULD PUT AN EXPLANATION ON PIRACY Story Idea ILLIGALE AND SHARING THOSE THAT NET Dissent NOT WELL BUT TO CA...

4 hours ago by dede0202 on The Pirate Bay infringes copyright, High Court decides
Sungwoo

do You know that? it can install 4G Ram. So i buy 4g and install It work! I can run call of duty 4,6,7 [Modern war... 1,2,3] Call of duty 1 was...

4 hours ago by Sungwoo on Loose Ends - Upgrading the Aspire One 522
itsajob

2. Bad idea. Making up patch cables loses you your commission from the cable supplier. 3. If you tidy up, other people can understand where the...

10 hours ago by itsajob on Ten IT jobs to save up for those rare lulls
Roberto_Store

Now On Sale, Unlocked iPhone 4S / Galaxy Note In Factory Box. Roberto-Techie(UK) ”Now on Sales” Smartphone, Android,Tablets,Gadget &...

14 hours ago by Roberto_Store on Samsung Galaxy S III lined up for sale
Paul Smyth

Is this classic FUD? One thing I would definitely have notice is a Mozilla threat to stop supporting GNU/Linux.

16 hours ago by Paul Smyth via Facebook on Firefox rapid release improves Fedora Linux
UnderINK

I agree with the previous commenter wholeheartedly. I couldn't say it better myself. This is very 'Big Brother'. And while I agree with protecting...

20 hours ago by UnderINK on European e-identity plan to be unveiled this month
Simon Bisson and Mary Branscombe

Nice to see that Turing's idea of a general purpose computer doing once-hardware-powered tasks in software is now universal ;-) Mary

1 day ago by Simon Bisson and Mary Branscombe on Software with everything
Jason Burchell

seriously now. I've only bothered to read a small bit of the comments. do me and the rest of the world a favour. stop saying it does not work or...

1 day ago by Jason Burchell via Facebook on Music industry negotiating over 24-bit downloads
Philip Charles Cohen

Read about it and weep, John Donahoe ... In addition to Visa’s V.me, there is now MasterCard’s PayPass digital wallet soon to arrive; another...

1 day ago by Philip Charles Cohen via Facebook on PayPal takes phone-based payments to the high street
apexwm

Leslie Satenstein : Where have you ever seen Mozilla even mention this? Firefox is the most popular browser in the GNU/Linux OS, so I don't see...

1 day ago by apexwm on Firefox rapid release improves Fedora Linux
songmaster

SHleG: Do you remember building a clockwork scorpion kit (I'm pretty sure I have a photo of it somewhere) — I think it was called something like...

1 day ago by songmaster on Software with everything
Chris Wortman

Good I love Yahoo! Their search engine is getting better than Google as of late. I find more of what I want on the first page, and usually within...

2 days ago by Chris Wortman via Facebook on Linux Mint 13 ramps up for KDE release
PatrickG

openhgs has made the point for Windows 8 multiple monitors without realising it! With Windows 7 you have to switch the mouse and so your focus...

2 days ago by PatrickG on Windows 8 could speed multi-monitor uptake
Leslie Satenstein

Mozilla has threatened to stop supporting Linux. I guess that UBUNTU is going with another browser. I indicated that if Mozilla stops supporting...

2 days ago by Leslie Satenstein via Facebook on Firefox rapid release improves Fedora Linux
Andy Bolstridge

Much as I abhor Microsoft's licensing practices, this is almost certainly down to purchasing IT equipment via 3rd party consultants - you get the...

2 days ago by Andy Bolstridge via Facebook on 6 million wasted licences and £1,200 PCs: welcome to government IT
Jack Schofield

@openhgs Windows users have had multiple desktops since Linus started writing Linux. They just haven't shipped as standard because not enough...

2 days ago by Jack Schofield on Windows 8 could speed multi-monitor uptake
Jack Schofield

@Phil at Cloud4 What, Microsoft gets £1,200 per PC and £1,622 per server? Gosh, I'm amazed....

2 days ago by Jack Schofield on 6 million wasted licences and £1,200 PCs: welcome to government IT
craigsc

You guys have no idea what is going on at Autonomy. Autonomy could have been a much more profitable organization. The sales operations at Autonomy...

2 days ago by craigsc on HP cuts 27,000 staff as Autonomy chief Lynch leaves
Moley

How does this impact on dual or multi booting? Seems to me to more or less prohibit this, from Windows 8 anyway. Will Grub 2 recognise Windows 8,...

2 days ago by Moley on Windows 8 start-up speed forces USB boot workaround
apexwm

I don't understand why there cannot be a slight pause during the boot process so the user can press a key. Many operating systems do this, even if...

2 days ago by apexwm on Windows 8 start-up speed forces USB boot workaround

Latest in Servers

Dell plugs enterprise tools into entry-level PowerEdges

Fujitsu: Cheap servers can't fit all cloud roles

Featured white papers

Product analysis: Hitachi Unified Storage 100 series

Hitachi

Product analysis: Hitachi Unified Storage 100 series

This report from Josh Krischer and Associates looks at storage requirements and challenges in a weakened economy, with a focus on Hitachi's mid-range storage platform HUS 100... Read more

Report: Mixed workload performance in VMware environments

IBM

Report: Mixed workload performance in VMware environments

This ESG Lab report indicates that IT managers looking to reap the benefits of server and storage consolidation are concerned about... Read more

Great British computers: A ZDNet UK retrospective

ZDNet UK

Great British computers: A ZDNet UK retrospective

Would you believe the first ever business computer totted up the price of cakes, bread and pies? You would if you knew it was operated by a British tea-shop company. Take a trip down computing memory lane with this guide to great British... Read more

Inside ZDNet UK

Indoor navigation coming to a mobile near you soon

Indoor navigation coming to a mobile near you soon

Software with everything

Software with everything

Asus Transformer Pad TF300T

Asus Transformer Pad TF300T

How IT is ganging up on organised cybercrime

How IT is ganging up on organised cybercrime

HTC One V: First take

HTC One V: First take

SharePoint deployment: The final chapter

SharePoint deployment: The final chapter

Ten IT jobs to save up for those rare lulls

Ten IT jobs to save up for those rare lulls