Analytics
4/23/2010
02:08 PM
50%
50%

Tech Insight: When To Pull The Outsourcing Trigger

Outsourcing security functions can work -- if the conditions are right

The economic crunch has left enterprises tightening their belts -- and one of the first areas to be cut is often security. Management might see security as important when they think about the impact of data breaches, but the immediate benefits of spending and staffing aren't always apparent when it comes to calculating the bottom line.

When is outsourcing security functions both safe and cost effective? To answer this question, CIOs must weigh the benefits of continued training and specialization for in-house personnel against the cost of using a managed security services provider (MSSP) for such functions as monitoring firewall and intrusion detection logs.

When should you outsource your security functions? As any consultant will tell you, it depends. Contributing factors include budget, manpower, and expertise. And then there's the willingness to give up security responsibilities to an outsider -- not something that can be decided by spreadsheets and dollar amounts.

Before deciding to outsource, make a detailed analysis of security to determine what is already being done well in-house -- and the areas that need better support. Assess the deficit areas to identify the underlying reasons for their shortcomings. Is there a shortage of budget to provide the needed technology? Is the security team short-staffed or nonexistent? Or does current staff lack the expertise required?

Companies that don't have the money to pay for high-priced firewall, IDS/IPS, and content filtering solutions can opt for a hosted service. The MSSP provides the hardware and management, while the company pays a monthly or annual fee. Hosted services like these can solve one or more of the problems stemming from lack of budget, manpower, and expertise.

There are many hosted services to choose from, including firewall, VPN, IDS/IPS, Web, and email filtering services. With the increasing buzz and adoption of cloud computing technologies, we've seen a shift from predominantly ISP-based hosted security services to those that occur in the "cloud." It's a market that includes practically every security company, from Websense and Trend Micro to Kaspersky and Google (Postini).

Sometimes all you need is better management of existing security solutions. You know how strong personalities and underlying political currents can often impact purchasing decisions, right? If you don't have the staff to manage that new whizz-bang, fully application-aware firewall, then it's either time to hire a staff member who can -- or pay an MSSP to manage it for you.

A lack of manpower and expertise doesn't just impact security management. Someone must handle the analysis of security events from firewalls, servers, workstations, IDS/IPS, and antivirus tools. MSSPs -- SecureWorks, Symantec Managed Security Services, and Verizon Business Cybertrust, to name a few -- provide monitoring services of those logs to identify malicious activity and alert customers before it's too late. Think of it as an analyst in a box -- but outside of your box.

Many enterprises rely on vulnerability scanning and penetration-testing services. Assessment services are often necessary because organizations do not have the staff with the expertise to perform these functions. Similarly, the cost of the tools and the manpower can be used to fund and staff other critical IT needs.

Sometimes you might not have a choice about outsourcing. For example, the PCI Data Security Standards (DSS) require that quarterly vulnerability scanning and annual penetration testing be conducted. A Qualified Security Assessor (QSA) is required for the vulnerability scanning, but experienced, in-house personnel can be used for the penetration testing.

Of course, many organizations don't have the manpower and expertise to perform in-house penetration testing. For those that do, taking penetrating testing in-house can be an option -- but enterprises must weigh the risks and benefits. (Read Keith Ferrell's take on the topic: "Taking Penetration Testing In-House.")

Choosing to outsource security services can be a hard decision. By surveying your organization's security needs and comparing them to existing resources -- including budget, manpower, and expertise -- you can clearly identify the areas in need. Then it's a matter of mapping those needful areas to available services -- determining if the price is right, or if it would be more economical to add or train staff to gain those additional skills.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5314
Published: 2014-11-23
Buffer overflow in Cybozu Office 9 and 10 before 10.1.0, Mailwise 4 and 5 before 5.1.4, and Dezie 8 before 8.1.1 allows remote authenticated users to execute arbitrary code via e-mail messages.

CVE-2014-5325
Published: 2014-11-23
The (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter, and (4) XOMConverter functions in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allow remote attackers to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity refe...

CVE-2014-5326
Published: 2014-11-23
Cross-site scripting (XSS) vulnerability in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2014-6477
Published: 2014-11-23
Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4...

CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?