Outsourcing Security Doesn't Mean You're Desperate

WHO TO CALL?

Perimeter and Symantec are among the dozens of companies that offer services for keeping out malicious e-mail, blocking network-borne viruses, and automatically patching software as vulnerabili- ties are fixed. In recent years, a number of smaller service providers have been absorbed by larger service providers looking to add security offerings. Symantec spent $145 million in 2002 on Riptech, a provider of outsourced network-monitoring services run by Amit Yoran, who went on to become director of the National Cyber Security Division of the Department of Homeland Security.

VeriSign bought Guardent in 2003 for $140 million, and BT Group earlier this year acquired Counterpane Internet Security, founded by IT security luminary Bruce Schneier. Other security vendors have merged, including SecureWorks with Lurqh in September (keeping the name SecureWorks), and TruSecure with Betrusted in 2004 to form Cybertrust.

SecureWorks' customer Digital Federal Credit Union isn't likely to outsource the maintenance and management of its core IT infrastructure for loans and deposits anytime soon, but the not-for-profit financial cooperative formed in 1979 as part of Digital Equipment Corp. knows its limitations when it comes to security. "We're a financial services company, we're not security experts," says VP of IS Kris VanBeek. Digital Federal serves more than 300,000 members at 1,000 companies.

Digital Federal has SecureWorks perform security assessments on the products and services it develops for the Web. "SecureWorks is able to keep up with the latest; we don't have anyone on staff who can do that," says David DeWitt, the credit union's IS risk manager.

"We're looking at SecureWorks in place of hiring a whole department to do this full time," says VanBeek, who estimates it costs about half as much to outsource as it would to hire a security staff and buy the necessary technology.

Before opting to outsource any aspect of its security, a company needs to be able to clearly define all interfaces into its data and how the service provider will access that data. Security services, like any other, must be managed, and that typically costs about 10% of the services contract when you factor in the time and effort of your IT staff to do it, says Paul Simmonds, global information security director of Imperial Chemical Industries Group, which develops and sells paints, foods, fragrances, and personal care products.

ICI Group has relied on Qualys for the past four years to scan every IP address ICI owns or has data on for signs of trouble. Before hiring Qualys, ICI didn't have a regular or repeatable process for detecting viruses or other problems with its IT systems. When Simmonds joined in 2001, "we ran a penetration test and actually defaced the ICI Web site in under a half hour," he says.

Qualys manages all of the devices used to protect ICI's systems and provides the company's security staff with a Web-based interface for checking the information collected. This approach lets ICI avoid investing in security hardware and software. If Qualys went bust, "the only thing we'd have committed to was their services. This is difficult work," Simmonds says, so the decision to outsource was easy.