Any hesitancy CTOs once felt about outsourcing aspects of their security operations has recently begun to disappear. Thanks go in large part to the realisation that their internal IT organisations have neither the time nor the sophisticated skills necessary to effectively perform tactical tasks such as vulnerability assessments, external network monitoring, intrusion detection, and e-mail scanning.
But choosing a security partner is not an easy task, despite the large number of managed security services providers that have recently ventured into the market.
Dan Paton, information services advisor at Oakwood Healthcare, a network of hospitals and primary care facilities, was surprised to find how difficult it was to find a vendor with just the right mix of experience, capabilities, service, and price. "It was harder and took a lot longer than we thought it would," he says.
In his three-month search for a provider that could set up a VPN and then take over the task of remote access authentication and encryption, Paton optimistically began with a lengthy list of large, well-known security providers.
"We compared histories and pricing and services and in a lot of ways the vendors all looked the same," Paton says. "But when we started digging, we found that many of them provided everything under the sun and didn't necessarily do it well because they were spread so thin. We wanted someone who was focused and was willing to give us more personal attention."
Disappointed with the results of his initial search, Paton turned to IT consultancy Gartner, who recently rated security vendors based on a number of specific criteria. The list included Aventail, a VPN service provider based in Seattle that ultimately met all of his specific needs. "You've got to know your criteria and not settle for less," Paton says. "It takes some patience."
Company officials looking into choosing a managed security services provider would do well to heed such advice, says Steve Hunt, director of research at IT advisory firm Giga Information Group. Hunt notes that the ultimate decision can be based on a number of factors including price, support capabilities and policies, specialised expertise, corporate history, and references. But a successful partnership between the IT department and security outsourcer often depends on the quality of the upfront research done before the selection process begins.
In selecting outsourcers most companies, according to Hunt, are not performing the due diligence required to determine which tactical tasks should be outsourced and how much risk the vendor should assume.
"To secure the business effectively, you've got to understand how technical measures and processes affect the business, and that requires performing a risk analysis from a business point of view," Hunt says. "Too often companies hire an outsourcer and leave it to the outsourcer to determine what the task is, how to measure it, and when it's finished. That's irresponsible."
Mark Yankowskas, IT director at Rockwood Specialties, a worldwide supplier of specialized chemicals in Princeton, N.J., performed just such an assessment before choosing Activis, a managed security services company based in Reading, England. After deciding to outsource network monitoring for both intrusion detection and e-mail scanning, Yankowskas determined that the most critical elements in a potential security partner were the ability to monitor the network around-the-clock, the ability to provide strong technical support, and the willingness to give Rockwood's internal team a sense of control.
To ensure the latter, he explains, the vendor utilised a firewall management package that allowed the Rockwood internal staff to easily set and change user access controls. "We are never stuck into what the outsourcing vendor tells us to do," Yankowskas says. "We have the flexibility to take a look at it from our perspective and tailor it to what we want, and that was a key selling point for us."
The outsourcer's expertise is clearly a major consideration, as well. Officials at Frontera, an ASP hosting e-CRM solutions for such clients as the Dallas Cowboys and Wherehouse Music, looked specifically for an external network monitoring vendor that could complement its already well-versed internal security staff -- but at the right price tag.
After balking at some vendors' quotes, the company eventually located and signed Pittsburgh-based RedSiren Technologies Inc., which offered to perform the service at a price that was considerably lower. The vendor, which has more than a dozen CISSPs (certified information systems security professionals) on staff, also provided Frontera with an initial vulnerability assessment.
Darrall Lem, vice president of managed services and information technology at Frontera, explains that any company looking to outsource tactical security tasks needs to determine the balance of tasks and responsibilities between the internal department and the external partner.
"In our case, RedSiren lets us know if and when there's a problem going on and then works with us to fix that problem," Lem explains. "So we do need to have a certain level of expertise in-house that allows us to take their advice and perform preventative action in the future."
One element that can sometimes be helpful in choosing an outsourcing partner is use of an SLA (service-level agreement). The value of this contracting tool is that it provides a way to measure the vendor's performance and hold the provider accountable. The SLA can be a differentiator in the selection of a security partner, Giga's Hunt says.
Oakwood Healthcare's SLA with Aventail actually allows for a financial penalty if the vendor doesn't meet metrics on user enrollment and revocation and both system uptime and availability -- a risk-reward arrangement that not all outsourcing firms are willing to offer. Security tasks don't always lend themselves to quantifiable measurements, and as a result, neither Frontera nor Rockwood Specialties have SLAs with their security outsourcers, although they do have basic multiyear contracts.
Finally, companies shouldn't be afraid to test their vendors in traditional or even creative ways. Before signing Aventail, Oakwood Healthcare's Paton asked the vendor to put a temporary VPN system in place, then enroll and authenticate 30 users for about two months. Frontera's Lem actually called RedSiren's security operations center and asked personnel to guide him through a potential problem to see how well they responded.
"Deciding to outsource your security is a big deal," Lem says. "You should do whatever it takes to make sure you and your company are comfortable with the vendor you're choosing."
Security outsourcer checklist
Consider these criteria when choosing a managed security provider.
-- Solvency: Besides conducting research into a vendor's financial health, find out how many clients it currently has. In a market with more managed security service providers than needed to handle supply, this question will best gauge whether or not the vendor will survive long term, says Steve Hunt, director of research at Giga Information Group. Hunt predicts that acquisitions and business failures will ultimately tighten the market.
-- Experience: How long has the security outsourcer been in business? Has the vendor worked with clients in your industry or those with similar IT environments? What kind of threats has the company handled before and how? Ask for references from both current and former clients.
-- Expertise: Does the security outsourcer specialize in managed security services and, more specifically, in the task your company is looking to outsource? How many certified professional security staff does the vendor have on board? Is its technology state-of-the-art? Is its operation scalable enough to handle your growth? What is its process for responding to a security event?
-- Policies: Does the vendor staff its operations center around-the-clock? Is it flexible in how it will report any incidents or activity? What types of metrics are offered in an SLA (service-level agreement), and is the security outsourcer willing to take on some financial risk? What contract lengths are available?
-- Location: How close are its operations geographically? Hunt says that close proximity is a key factor in the ultimate success of an outsourcing arrangement, as face-to-face interaction, personal attention, and trust tends to be greater between the two partners.