Security's Best Friend

Over the years, the option of outsourcing has worked its way into every IT function, including those formerly considered too vital and proprietary to be trusted to a third party, such as database management, application development, and even storage. Every function, that is, but one: security.

"I'm a firm believer that security should be kept in-house whenever possible," says Jeff Hormann, director of information security for Metromedia Fiber Network Inc., a provider of optical networking infrastructure in White Plains, N.Y. Hormann, who has 20 years of experience as a felony criminal investigator for the U.S. Army, created and commanded its Computer Crime Investigation Unit. His background--not uncommon in the IT security business--makes him extremely suspicious of letting someone else watch the store. "The downside to outsourcing is that you have to give away some of the keys to the castle," he says.

Hormann's hard-line attitude about IT security may be fairly typical among security chiefs, especially at the largest and more conservative companies. But in the past year, the option of outsourcing IT security--through a new kind of consulting firm known as a managed security service provider--has emerged as a legitimate choice for many companies. Though MSSPs initially appealed mostly to smaller companies that lack the budget for sophisticated security technology or sizable security staffs, large companies now are giving them a closer look. A June survey by Hurwitz Group found that as many as a quarter of companies with more than $10 billion in annual sales are using or considering handing over some of their security, such as firewalls, antivirus software, virtual private networks, or intrusion detection, to a managed security service.

The reason is economics. "When decisions to outsource security are made, it's generally done by the CFO and is based on cost savings," says Bruce Peck, information security manager at St. Vincent Hospital & Health Services, a network of eight hospitals in Indianapolis.

The numbers appear to be adding up for MSSPs. The Yankee Group forecasts that companies will buy $1.7 billion in security services by 2005, up from just $140 million in 1999. That kind of growth potential has caught the attention of the investment community: To date, startup managed security firms have scooped up more than $1 billion in venture-capital investment.

To reach their potential, MSSPs will have to overcome the bias many IT managers have against letting someone else run their security. Many consider it too critical a function to outsource if there's any way they can afford to keep it in-house. The same Hurwitz survey that showed a fourth of big companies are open to some outsourcing found more than 25% who say they'd never consider it for critical elements such as firewalls or intrusion detection. Also, the MSSP industry, like most nascent technology markets, has its share of startups flying by the seats of their pants and newcomers looking to cash in on a hot trend. That's why some security chiefs consider managed security a low-cost--and low-quality--option. "You won't find many security officers in favor of outsourcing security and having some-one else do that job," St. Vincent's Peck says.

It's 2 a.m. and the phone at Linda Donner's home rings. At that hour, it's a safe bet the news is probably bad. She answers and the voice on the other end of the line is a technical analyst at the Unisys security command center. The analyst is talking about a potential security problem regarding the network at First American Bank, where Donner is VP of project management. The analyst has detected suspicious activity but hasn't been able to isolate and identify the source of the trouble. If the problem isn't solved soon, the network will have to be shut down as a security precaution. Donner gives the OK to shut down the network.

Shortly after, from Unisys' secure operations center in Blue Bell, Pa., the security analyst determines that a malicious attack didn't occur after all. The problem is network interference, caused by the local phone company, affecting the bank's Internet service provider. But Donner doesn't mind the early-morning alarm. "Nothing can hurt a bank faster than a security breach," she says. "Better safe than sorry."

Donner's experience, and the reasons the Fort Dodge, Iowa, community bank went with managed security service from Unisys, exemplify how and why the market is taking off. Donner, a 20-year veteran of IT, first considered managed security when the company started looking to the Internet in 1999. "We felt we needed a partner to help put a plan together," she says. "Being a community bank, we didn't have the staff or experience to totally understand what it meant to be on the Internet."

Her first call went to Unisys, because First American had a longstanding relationship with the company as the bank's hardware provider. Unisys did a three-day security assessment, inventorying the bank's IT systems, discussing growth plans, talking about existing network security, and evaluating everything from network firewalls and intrusion-detection systems to how the bank set up employee logons and changed passwords. After the assessment was completed, Donner compared the cost of outsourcing with the price of an in-house, round-the-clock network-monitoring operation, and Unisys came out on top. But the comparison didn't matter too much, because Donner faced a staffing crunch that many security operations run up against--except geography made hers worse. "I'm in the middle of Iowa," she says. "Where would I find anyone with the required knowledge and experience?"

Managed security providers span a wide range of sizes and services. There are newcomers such as OneSecure Inc., which launched in January with $92 million in funding, and stalwart technology names such as Unisys, which has offered its e-@ction Security Solutions since October 1999. Leading the way are companies such as Internet Security Systems Inc., which started managing security remotely in 1995. ISS sells services direct to customers and also resells services through consulting firms, including PricewaterhouseCoopers, and telecom carriers such as BellSouth Corp. Many hosting companies also offer security services, generally through a reseller agreement with a managed security firm. The services MSSPs offer also vary widely, from companies specializing in one piece of the security puzzle, such as managed antivirus protection, to a full menu that includes round-the-clock monitoring.

So what kind of guarantees do security firms offer? Like most IT service sectors, security companies don't promise 100% reliability, so companies looking for financial peace of mind need to buy hacker insurance. Most security firms operate under service-level agreements that focus on performance. For example, Elad Yoran, co-founder and CFO of Riptech Inc., says a typical intrusion-detection SLA sets a standard for Riptech to spot a problem and notify the customer, usually in 15 minutes.

ISS is the largest independent MSSP, with $195 million in revenue last year and 1,183 employees. The Atlanta company says it can set up and monitor security on a 250-user network on a single T1 (1.5-Mbps) Internet gateway for about $75,000 a year, excluding hardware. Doing that in-house would mean similar hardware costs, plus at least $240,000 in annual compensation to hire three full-time specialists, based on data from InformationWeek's most recent Salary Survey (informationweekresearch.com/advisor).

That's assuming you can find trained staff to hire. Staffing shortages are the No. 2 reason companies turn to managed security, after economics. But there's a third reason that's growing in importance: the difficulty of keeping up with the latest security threats.

Howard Berkis, a director in charge of infrastructure security for CIBC World Markets in the U.S., says financial savings and staffing challenges are two reasons CIBC has used ISS for more than a year to run round-the-clock intrusion detection. But equally important is ISS's expertise on the latest intrusions. CIBC World Markets is the investment and merchant banking arm of the Canadian Imperial Bank of Commerce, which has about $180 billion in assets, and isn't about to skimp on quality. "Myself and my staff, we have a general knowledge of security and security measures," Berkis says. "You ask ISS staff a question and they can fire away answers at you very quick, or they have the answers at their fingertips." Time is critical when it comes to intrusion detection, he says. "To know that there was an intrusion three days ago is useless to me."

Keeping up to date on the latest threats becomes more difficult as the number of new vulnerabilities rises. The federally funded CERT Coordination Center, operated by Carnegie Mellon University to track Internet security statistics, recorded 171 new vulnerabilities in 1995, a figure that reached 417 in 1999. Last year, that number hit 1,090, and in just the first three months of this year, 633 new vulnerabilities were reported.

Jeff Brewer, lead security analyst at financial-data-services company Fiserv Inc., is well aware of the increasing number of computer threats. He knows there's no way he can keep up with the multitude of newsgroups, mailing lists, and Web sites dedicated to publishing vulnerabilities and also tune out the noise to find those that apply to his networks and systems. "You can't blink at the world and keep up with everything," he says.

Brewer employs TruSecure Corp., which publishes alerts by E-mail, pager, and fax to warn him when a relevant new risk has emerged. "TruSecure's assessment of the vulnerability dictates whether I come in during the middle of the night to start working on it or wait for the morning," he says.

Though Brewer finds the TruSecure alerts invaluable, he's hesitant about outsourcing intrusion-detection systems that monitor his internal and E-business systems. He's looked at managed security options from ISS and BellSouth, which also does intrusion detection, and is impressed with their operations but isn't ready to sign up. "We've done a great job at securing our systems," he says. "Unless we get more servers, I don't see it being cost-effective yet."

But for some companies, it isn't a matter of cost-effectiveness--it's a matter of survival.

Internet startups put their entire businesses online, and with the dot-com industry failing and the capital-market spigot turned off, they now have to run like real, cash-conscious companies. Really cash conscious. "We're down to 15 people," says Dave Stringham, director of business development for iEnhance Inc., an online marketplace for elective surgery that provides referrals to 1,600 plastic surgeons. "We don't have the time or resources to manage security 24-by-7-by-365."

IEnhance hired Relera Inc., which through a partnership with managed security services provider Riptech provides managed firewall, vulnerability scanning, VPN, intrusion detection, and real-time monitoring and remediation services. Two months into its arrangement to manage the firewall, a Riptech security analyst noticed that someone was trying to hack into one of iEnhance's servers. The attack was thwarted, but Stringham figures it would have taken his team hours or even days to figure out what was happening and what to do about it. "We'd probably have to bring in high-priced security consultants at outrageous emergency fees," he says.

Outsourced, managed security hasn't proved its worth to most major companies. However, the health-care industry may provide a test bed, because several factors are coalescing to make security and cost-cutting high priorities. Hospitals and medical centers are feeling a cash pinch from reduced Medicaid and Medicare reimbursements, making the efficiency of electronic records a priority. At the same time, new rules to guard patients' privacy--the Health Insurance Portability and Accountability Act--are putting the pressure on health-care companies to prove they can protect patient information online.

Fred Eisenberg, director of information security at Mount Sinai New York University Health, was an early adopter of one aspect of managed security--letting a service provider handle the remote-access security through a virtual private network. But it's been a rough ride, as Eisenberg lived through the shakeout and consolidation hitting this emerging industry.

Eisenberg's problems started in November when Mount Sinai's vendor decided secure remote access wouldn't be one of its core services anymore, though it continued to service its existing contract with Mount Sinai. Service to the New York hospital and medical center began to suffer, and Eisenberg worried that it could lose secure access to clinical applications that give doctors, nurses, and administrators access to patient records, lab results, and admission forms.

Once Mount Sinai decided to opt out of the existing contract, Eisenberg and his staff weighed three options: have the hospital build its own virtual private network, outsource everything, or somehow combine the two. They opted for a hybrid approach--Mount Sinai would handle the back end of its applications and outsource remote access to Aventail Corp. The service, Aventail.Net, lets the health-care staff access legacy and Web applications. Along with the VPN, Mount Sinai outsources to Aventail all user administration: enrollment, provisioning, authentication and authorization, and enforcement of the hospital's remote-access policy.

St. Vincent's Peck says its hospital network is beginning to move private patient information online, and so far he's keeping security in-house. St. Vincent is rolling out an access control system based on Computer Associates' eTrust Single Sign-On and Saflink biometric authentication software that eventually will serve 1,000 workstations. Peck is more comfortable handling that security in-house, but admits there are pieces that might make sense to outsource someday. The hospital recently bought an intrusion-detection system but hasn't decided how it will be monitored. "It's expensive to have one person dedicated to monitoring the networks," he says.

Metromedia Fiber Network has incorporated tools that let it integrate and manage much of its security centrally, monitoring the network in much the same way outsourcers do. "We have such a widely distributed environment that you can't throw people at every location," says security director Hormann. Metromedia has been using E-Security Inc.'s Open E-Security Platform for about seven months, which helps the company collect near real-time security information from across its network. Open E-Security is part of an important layer that allows Hormann's company to continue managing its security in-house, he says.

"We form multiple nets, from firewalls to intrusion detection systems to E-Security to our security policy and other tools," he says. "If one net misses, another will catch it."

That's the kind of confidence managers need in the IT security business. For some, that kind of faith can only come from keeping their hands directly on every element of security. But at companies facing nagging doubts--and rising costs--managed security just might find a way in.

Photo of Brewer by Stan Kaady