NOVICE equestrians can be a danger to their horses as well as to themselves. Like dude ranch visitors, IT leaders are experiencing an emotional tug-of-war between the natural desire to hold the reins tightly and the need for a more experienced rider's advice. It's no surprise that most IT managers want to retain control of computer security measures, whether or not they're equipped to do so.
The respondents to the 2002 InfoWorld IT Security Survey said they are growing more comfortable with outsourcing IT security: 37 per cent reported that part of their security puzzle is being outsourced, and 42 per cent of them are satisfied with their services. By next summer, 43 per cent will be outsourcing some aspects of their security.
But read the other way, these numbers reveal that more than half of respondents aren't giving up control without a fight. And what is being contracted out is fairly limited in scope: VPN services (contracted by 55 per cent), security consulting, and security education and training (outsourced by 37 per cent each) are the leading categories. Security implementation is being farmed out by 18 per cent of respondents, and 16 per cent are outsourcing security management. Worse, the companies that most need the benefits provided by outsourced security services -- the small or midsize enterprises with 100 to 1,000 employees -- are less than half as likely to be using these services as are larger companies.
The do-it-yourself approach is fine for weekend around-the-house projects, but for most IT departments in the small or midsize enterprise world, it's not a realistic approach to security. The math is simple: To provide around-the-clock coverage every day, allowing for illness, training, and vacation, would take a minimum of eight skilled people. Although the desire to control all aspects of a company's IT presence is a natural one, the unique requirements of the modern security landscape make a homegrown approach impractical for most shops.
But areas that aren't deemed mission-critical, such as training, or are already understood as being part of a larger outsourced system, such as VPN services included as part of a telecom bundle, are just the thin tip of the wedge. Managed anti-virus services are becoming increasingly prevalent as a reaction to the need to deliver frequent updates.
The line between product vendors and services vendors is blurring even more, thanks to the latest acquisitions by Symantec. The feeding frenzy is just getting started; how the resulting conglomerates, selling boxes with one hand and services with the other, will behave in a market dominated by the best-of-breed approach is anyone's guess. Right now, any security framework is likely to be many dissimilar pieces bolted together with a simple GUI.
The cautious approach to outsourcing security may be best for the short term, but that won't be true forever. If corporate liability for the misuse of resources by a hijacker becomes an accepted legal construct, then it won't matter whether the hijacked resource is an airliner or a computer, and insurance policies will reflect that. This brings us back to the main reason most companies outsource: to save money. Of course, the trick to making any outsourcing venture a success is keeping control of the reins -- you're handing over authority, not responsibility.
Ultimately, the largest IT shops will farm out significant chunks of grunt work to concentrate resources on high-return expertise. It's the smaller enterprises that will have difficulty keeping up with the demands posed by a new age of IT insecurity, and they are the most vulnerable to external attack. A 9-to-5 approach to security is totally inadequate, given the around-the-clock, around-the-world nature of today's threats, but most companies are likely to settle for an incomplete solution as the best that they can afford.
The increasing trend to outsource IT security operations is driven mostly by the eternal desire to reduce expenses, but also by the need for top-notch security, which CTOs are realising is part of the cost of doing business. These days, exposure is directly related to a company's Internet presence -- the more widely it uses Web technology, including Web services, the more likely it is to be a victim of attackers. As the threat increases, so does the justification for outsourcing.