informa
Quick Hits

When To Outsource Security -- And When Not To

New Dark Reading report offers insights on the advantages and pitfalls of bringing in a third party to help with security
[Excerpted from "Finding the Right Security Outsourcing Balance," a new report published this week on Dark Reading's Security Services Tech Center.]

Enterprise networks have become so complex that few IT departments truly have the resources and expertise to manage them entirely on their own, particularly when it comes to keeping them secure. Outsourcing certain aspects of physical security -- such as lobby guards -- is commonplace, but enterprises have only relatively recently begun turning to third-party managed security services (MSS) to block spam and filter Web and email content.

Now, though, there is a trend toward outsourcing a growing number and variety of security services, including log management and patch and configuration management. Indeed, as enterprise security professionals are tasked with keeping an ever-increasing amount of data secure on a growing number and variety of devices -- often used outside the safety of the internal network -- more and more businesses are deciding to outsource security functions and processes to third parties. According to Gartner, growth in the European MSS market reached $2.1 billion in sales in 2010, with a predicted compound annual growth rate of 14% from 2010 to 2014.

The arguments for outsourcing are well-known: The model allows an organization to concentrate on its core competencies and manage its business instead of having to manage an IT infrastructure. IT security processes lend themselves well to outsourcing because they scale well, making them cheaper for a specialist company to deliver. Outsourcing also reduces capital and operating expenses by eliminating the need to hire and train specialized staff and purchase dedicated equipment.

When deciding which security functions to outsource, the broad answer is any service where a third party can provide better security at a lower price than you can deliver with your own team, while still allowing you to meet your regulatory and business obligations. The kinds of services that often meet these standards include vulnerability scanning, penetration testing, network monitoring, distributed denial-of-service protection, threat intelligence alert services, forensics, product installation, product configuration, and patch management.

Processes that require a lot of hands-on decision-making -- such as firewall management, where nearly every decision requires a custom response -- may be better kept in-house. Although the arguments for outsourcing are strong, outsourcing the wrong service or selecting the wrong provider can be a costly mistake.

To find out more about the advantages and pitfalls of security outsourcing -- and for a list of questions to help you choose the right service provider -- download a free copy of the report on security outsourcing.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading: