Outsourcing security: Worry about cost or focus?
- 30 April, 2007 23:38
Security work is a lot of fun. There's always some new threat or technology just over the horizon, challenging our assumptions and existing controls. Things are changing so fast that is it almost impossible for a single person to have a broad view of security in all areas of IT. Even large companies rely on a handful of security specialists to create policies and design security controls across all applications and networks. If your security staff is spread too thin, however, they end up spending most of their time reacting to security problems rather than planning and securing emerging technologies and applications. That's one reason why managed security services are gaining acceptance.
Outsourced security services have become more popular in the last few years. Companies use managed services to reduce the workload of their existing security staff and to cut costs for commoditised services. Companies will outsource a variety of security-related tasks: Monitoring of intrusion detection and firewall devices; configuration of Access Control Lists; e-mail security; VPN management and so on.
The motivation for outsourcing varies substantially among companies. Some organizations face a shortage of security skills and use outsourcing to fill gaps in their staffing. For others it is purely a matter of cost -- managed security services are considered more affordable than an in-house security team. A third motivation is the most interesting: some companies want to complement their internal security teams with external support for some of the more day-to-day tasks. The goal is to release the internal security team from these tasks so it can shift focus to higher-risk threats that are specific to the industry or company.
If your security personnel are less burdened by reactive day-to-day tasks, they can shift from being reactive to being proactive. They can spend more time analysing and protecting against emerging threats that are too specific to the company to outsource to a third party. These threats include attacks from insiders, emerging applications and technologies such as instant messaging, VOIP and XML. In addition, the internal security team can focus on developing training and awareness programs and policies and procedures that are specific to the needs and risk profile of the company.
Too often we focus on the total cost of ownership of managed security services vs. the cost of doing things in-house. But a very important and overlooked benefit of outsourcing the more commoditised security tasks is that it frees up your internal security team to focus on the risks that are specific to your company or industry. It also allows your security staff to stop reacting to threats and instead plan ahead for emerging applications.