Tech Insight: When To Pull The Outsourcing Trigger

The economic crunch has left enterprises tightening their belts -- and one of the first areas to be cut is often security. Management might see security as important when they think about the impact of data breaches, but the immediate benefits of spending and staffing aren't always apparent when it comes to calculating the bottom line.

When is outsourcing security functions both safe and cost effective? To answer this question, CIOs must weigh the benefits of continued training and specialization for in-house personnel against the cost of using a managed security services provider (MSSP) for such functions as monitoring firewall and intrusion detection logs.

When should you outsource your security functions? As any consultant will tell you, it depends. Contributing factors include budget, manpower, and expertise. And then there's the willingness to give up security responsibilities to an outsider -- not something that can be decided by spreadsheets and dollar amounts.

Before deciding to outsource, make a detailed analysis of security to determine what is already being done well in-house -- and the areas that need better support. Assess the deficit areas to identify the underlying reasons for their shortcomings. Is there a shortage of budget to provide the needed technology? Is the security team short-staffed or nonexistent? Or does current staff lack the expertise required?

Companies that don't have the money to pay for high-priced firewall, IDS/IPS, and content filtering solutions can opt for a hosted service. The MSSP provides the hardware and management, while the company pays a monthly or annual fee. Hosted services like these can solve one or more of the problems stemming from lack of budget, manpower, and expertise.

There are many hosted services to choose from, including firewall, VPN, IDS/IPS, Web, and email filtering services. With the increasing buzz and adoption of cloud computing technologies, we've seen a shift from predominantly ISP-based hosted security services to those that occur in the "cloud." It's a market that includes practically every security company, from Websense and Trend Micro to Kaspersky and Google (Postini).

Sometimes all you need is better management of existing security solutions. You know how strong personalities and underlying political currents can often impact purchasing decisions, right? If you don't have the staff to manage that new whizz-bang, fully application-aware firewall, then it's either time to hire a staff member who can -- or pay an MSSP to manage it for you.

A lack of manpower and expertise doesn't just impact security management. Someone must handle the analysis of security events from firewalls, servers, workstations, IDS/IPS, and antivirus tools. MSSPs -- SecureWorks, Symantec Managed Security Services, and Verizon Business Cybertrust, to name a few -- provide monitoring services of those logs to identify malicious activity and alert customers before it's too late. Think of it as an analyst in a box -- but outside of your box.

Many enterprises rely on vulnerability scanning and penetration-testing services. Assessment services are often necessary because organizations do not have the staff with the expertise to perform these functions. Similarly, the cost of the tools and the manpower can be used to fund and staff other critical IT needs.

Sometimes you might not have a choice about outsourcing. For example, the PCI Data Security Standards (DSS) require that quarterly vulnerability scanning and annual penetration testing be conducted. A Qualified Security Assessor (QSA) is required for the vulnerability scanning, but experienced, in-house personnel can be used for the penetration testing.

Of course, many organizations don't have the manpower and expertise to perform in-house penetration testing. For those that do, taking penetrating testing in-house can be an option -- but enterprises must weigh the risks and benefits. (Read Keith Ferrell's take on the topic: "Taking Penetration Testing In-House.")

Choosing to outsource security services can be a hard decision. By surveying your organization's security needs and comparing them to existing resources -- including budget, manpower, and expertise -- you can clearly identify the areas in need. Then it's a matter of mapping those needful areas to available services -- determining if the price is right, or if it would be more economical to add or train staff to gain those additional skills.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.