The business case for outsourcing information security is a sound one, experts say. Managed security services is one of the fastest growing market segments in the security marketplace, according to Gartner, which reports that as of 2005, 60% of enterprises were outsourcing the monitoring of at least one network boundary security technology. Security services were a $16.5 billion industry in 2004, with a compound annual growth rate of 35%, according to IDC.
In a managed security deal, the organization shares information security and business risks with the managed services provider. Such deals provide access to a range of security services and to skilled staff whose full-time job is security.
The cost of managed security services is typically less than hiring in-house, full-time secur- ity experts. For example, a managed security provider can set up and monitor security on a 250-user network on a single T1 (1.5 Mbps) Internet gateway for about $75,000 a year, excluding hardware. Replicating this capability within an organization produces similar hardware costs, plus at least $240,000 in annual compensation to hire three full-time specialists.
A shortage of qualified information security personnel puts tremendous pressure on IT departments to recruit, train, compensate, and retain critical staff. The cost of in-house network security specialists can be prohibitive. In an outsourcing deal, the costs to hire, train, and retain highly skilled staff becomes the service provider's responsibility.
A Matter Of Trust
When retaining a managed security services provider, banks need to consider issues such as trust, dependence, and ownership. Establishing a good working relationship and building trust between a client and service provider are critical in deciding whether to outsource security services. Service providers have access to sensitive client information and details about the client's security posture and vulnerabilities. The intentional or inadvertent public release of such information can be extremely damaging to the client. A signed confidentiality agreement enacted in the later stages of contract negotiations can help mitigate this risk.
The shared operational environment used by many service providers to support multiple clients poses more risks than an in-house environment. Sharing a data-transmission capability, such as a common network, or a processing environment, such as a general-purpose server, across multiple clients can increase the likelihood of one organization having access to the sensitive information of another.
Initiating a managed security services relationship may require a complex transition of people, processes, hardware, software, and other assets from the client to the service provider or from one provider to another, all of which may introduce new risks. IT and business environments may require new interfaces, approaches, and expectations for service delivery.
Service-level agreement guidelines fall into two categories: ser- vice-specific agreements and operational security practice agreements. Service-specific agreements address characteristics and attributes of the service being provided. Operational security practice agreements address the quality of the operational security environment in which the services are executed. This set of content guidance doesn't typically appear in today's service-level agreements but represents content on which the agreement should be based.
Managing the relationship with a service provider should include guidelines for moving from in-house services to provider-supplied ones or from one provider to another. Finally, there are guidelines to consider using when terminating a relationship with a service provider, whether at the end of a contract or at some earlier point.