We're still loath to entrust all but the most commoditized security functions to outside providers. Spam filtering, sure. Firewalls, maybe. But forensic analysis or intrusion prevention and detection? Forget it, say the majority of respondents to our InformationWeek survey of 500-plus business technology professionals.
"Security needs today are far too dynamic to outsource," says Gary Osmondson, CIO for Fresno County, Calif. "There's little sympathy for an organization that has lost corporate strategic, customer personal identifier, or even HIPAA-related information because a contractor failed in some manner. We'd much rather be driving than riding the bus if it goes over the cliff."
But staying fully ensconced in the driver's seat is a luxury many CIOs won't be able to afford as budgets tighten and the risk landscape gets more complex thanks to everything from virtualization to an ever-expanding perimeter to new regulations to increasingly sophisticated attackers.
IT groups with limited information security resources that flat-out refuse to seek expert help are doing the business a disservice. While it's true that those with highly specialized security policies likely won't get the customization they need with a managed service security provider (MSSP), far too many organizations have yet to make infosec a core competency. Some have even decided that infosec will never be a fundamental proficiency, and they're just securing to the level required by regs like PCI and calling it a day. That's a problem because, as attackers become more sophisticated, so must the tools we wield to stop them. When you don't have the control, skills, budget, or staffing levels to protect your company's assets, the responsible course is to partner with someone who can.
Many of the 62% of respondents who say they are not using a security service provider--and don't plan to start--challenge the perception that hiring an outside specialist automatically means you're safe. "It has been my observation that when a news story breaks that involves a security breach of proprietary information, more often than not it involves a third-party service provider," says one respondent. "When are we going to realize that payment for such services is not enough to ensure true responsible behavior and accountability?"
This view is absolutely correct. Partnering doesn't mean abdicating responsibility, and we'll discuss how to work with a provider to manage the full spectrum of risk. MSSPs also are well aware of IT's resistance to outsourcing security and have devised strategies to raise the comfort level. Kerry Bailey, VP of security services for Verizon Business Solutions, says he avoids using the word "outsourcing" entirely. "We prefer to think of our service as a co-sourcing or co-managed offering," Bailey says. "Our strategy is to become a strategic partner, an extension of our customer's IT department."
Can this openness, combined with significant shakeups in the MSSP space and a growing comfort level with IT services in the cloud, persuade IT to abandon old prejudices? We hope so, because as staffing levels stagnate, we need to focus on projects that generate revenue for our organizations. That's hard to do amid visions of the CEO delivering mea culpas to Wall Street for a TJX-level data breach.
ON THE EDGE
When it comes to security, high stakes are running smack into increased complexity. Doing business today means building VPNs to suppliers, partners, and other third parties to serve out private Web portals and production applications. Staff and contractors need remote network access. The concept of the "extended enterprise" and the proliferation of software as a service are forcing organizations to put private data out in the wind like never before.
The sad reality is that your firewall is no longer a guardian of sensitive information. It's just another hop along the path of delivering your customers' credit card numbers to a malicious hacker in a faraway land.
Unprecedented risk and complexity may finally break down IT's resistance to MSSPs, and our poll shows smaller companies will be the first to embrace security in the cloud. In fact, of our 125 poll respondents from companies with fewer than 1,000 employees who are using or considering MSSPs, 41% cited a lack of staff or in-house skills as the primary reason. Tied for second, at 17%, was the desire to reallocate talent to projects with greater visibility to senior management.
Does that mean data and network security are taking a back seat in the minds of CEOs and CFOs?
One function you may want to do in-house: forensics.
This certainly appears to be the reality many infosec groups are facing. Some CFOs have always equated dedicating expensive staff, hardware, and software to network security with socking away the full replacement value of your home in case of fire. Conversely, MSSPs offer an insurance policy--a way to pay for a given level of protection without taking on additional salary, and without forking over capital up front.
Interestingly, the item tied for second is a driver that's sure to be well received by both the business and IT, and possibly worth the MSSP price of admission alone. That is, the benefit of having a partner monitor your environment 24/7/365. If you manage a highly available network with fewer than 1,000 employees, chances are you don't have the resources for a graveyard shift to watch for attacks from the other side of the globe, or to be the one insomniac users call at 5 a.m. about network availability. MSSPs are pitching themselves as saviors for resource-strapped IT managers needing round-the-clock service. Constant monitoring can get pricey as you scale, but companies can get great bang for the buck by strategically monitoring critical systems. What's most critical is selecting the right partner.