Phenix Energy Group, an oil pipeline operator and construction company, is preparing to take its IT infrastructure from zero to 60 in a matter of months. To get a years-in-the-making pipeline project off the ground, the company is preparing to grow from a relatively small office environment to a data center setting of 75 servers and 250TB of storage. As a result, security, which hasn’t been a top priority, is suddenly a big deal, according to CIO and COO Bruce Perrin.
Given the high stakes — a downed system could cost about $1 million an hour — Perrin has spent the past five years researching options. While he’d prefer to run security in-house as part of an on-premises data center, Perrin is leaning toward outsourcing the function, at least initially, because he doesn’t have time to staff up a dedicated information security department in the few scant months before the pipeline goes online.
“This project is huge. No one person is capable of managing this kind of IT deployment in 90 days,” says Perrin, who’s evaluating IT security value-added resellers and managed security service providers (MSSP). “I don’t have an alternative to outsourcing — I need to bring someone in who can provide the security level we need and help us with the deployment, with the ultimate goal of moving everything to on-premises.”
Why outsourcing security makes sense
Just like Phenix Energy Group, many small and midsize companies are gravitating toward an outsourced model for security and day-to-day operations, given the increasing number of data breaches and the heightened focus on risk. In a recent survey of 287 U.S.-based IT and business professionals conducted by CIO, CSO and Computerworld, 56 percent of the respondents said that their organizations are enlisting outside consultants to help with information security strategy, and 40 percent said they’re turning to MSSPs.
According to the survey, the top functions being outsourced are penetration testing/threat assessments (cited by 70 percent of the 190 respondents who said they’re turning to consultants and MSSPs), spam filtering (46 percent), threat intelligence (40 percent), log monitoring (34 percent), anti-DDoS/web application firewall protections (27 percent), business continuity and disaster recovery (26 percent) and awareness training (22 percent).
Outsourcing security functions appeals to small and midsize shops in particular because their resources are often already stretched thin and most lack the bandwidth to adequately perform security functions, experts say. Smaller organizations are also less likely to have people with specialized security skills who can focus on staying on top of a continually shifting landscape.
Other developments that push companies toward outsourcing security include the increase in the number of malicious hackers and the proliferation of products designed for enterprise security, according to Garret Bekker, a senior security analyst at 451 Research. Both trends make security difficult to manage for smaller organizations, he says.
“The inevitable conclusion is companies increasingly have to rely on security handled by an MSSP because they can’t keep up — they just don’t have the bandwidth,” says Bekker, who maintains that time saved is the primary benefit of outsourcing, far higher than cost savings on the list of advantages.
Outsourcing: Not an either-or proposition
Brendan O’Malley, a serial CIO at midsize organizations and now a consultant, says the outsourced or managed services model works because there is often no one other than the CIO dedicated to security, which opens a company up to risk. “Security ends up being sliced up and doled out to 10 percent of several people’s jobs, but because no one beyond the CIO is responsible, it’s very tough to make progress or to stay on top of it the way you have to,” he explains. “You absolutely need to have some kind of outside support.”
For Blackhawk Community Credit Union, getting a helping hand from outside providers, including an MSSP, not only helps offload some security work, it also means the organization has 24/7, 365-days-a-year coverage from a highly trained set of eyes. Richard Borden, Blackhawk’s vice president of IT, says his eight-person staff wouldn’t be able to provide that kind of service, because they have to handle all types of IT issues, security included, for more than 150 users.
Instead of offloading everything to an MSSP, however, the credit union takes a three-pronged approach, doing security strategy and policy planning on its own, enlisting consultants to perform specialized functions, such as periodic firewall reviews, and leaning on its MSSP — in this case, Dell SecureWorks — for meat-and-potatoes functions like managing the firewall and the intrusion-protection system, Borden says.
“They can see global trends across all the clients and feeds they get, which gives me added confidence, so I don’t stay up at night worrying about the network,” he says. “If these folks see something spikey, they will get in touch with me.”
The alert process is where outsourcing can get tricky for smaller shops, and the potential complications could undermine the value of using an MSSP. While outsourcing log monitoring and firewall management to a third party will provide a window into possible problems, outsourcers may have difficulty discerning between real security problems and noise because they lack insight into the inner workings of an organization and its typical user behaviors, says Jeff Pollard, an analyst at Forrester Research.
Outsourcers need help
In order to squeeze the most value from outsourced security services, Pollard says it’s incumbent upon companies to put processes and communications channels in place so they can provide input to MSSPs to give them the right context for evaluating alerts. Moreover, companies that work with service providers should also be prepared to explore and troubleshoot more events, because MSSPs usually do a better job than internal staffers when it comes to detecting suspicious activity, he explains.
“MSSPs have lots of visibility across clients and can make that relevant for each, but what they don’t understand are the unique things in your organization — the micro versus macro issues, or which business units are most sensitive,” Pollard says. “Companies need someone internally to serve as the liaison.”
But being a liaison can be time-consuming. Ask Wes Farris, the information security officer and MSSP liaison at the Harris Center for Mental Health and IDD. He has so much else on his plate that he can only spend a limited amount of time working with the MSSP to fine-tune log monitoring and alerts to reflect the working habits of his users and the business. “To get more value out of this service, we should be proactively tuning it, and I don’t have time. It’s a full-time job,” he says, adding that the center can’t afford to hire an additional full-time employee to focus on the liaison’s role.
As with any vendor relationship, Farris and others say it’s important to manage your MSSP and hold it accountable. Farris recommends choosing a partner with expertise in your specific industry. Doing the due diligence to select the right service provider is critical, given the importance of IT security — and because it’s difficult to cut ties and move to another provider if things don’t work out, he says.
“Once you execute a managed services contract where you are monitoring hundreds or thousands of devices, it’s not easy to rip and replace,” Farris says. “You have to make sure this is a company you want to use, that the tool sets are expansive and that the people working there are those you can trust.”