Companies turn to third-party solution

Shareholders, governments, partners and customers are becoming increasingly aware of information technology (IT) security as a number of incidents have shown the vulnerability of sensitive data. While most IT departments were previously content to adopt in-house solutions to protect their information in the boom years, many chief information officers are now investing in Managed Security Services (MSS) to ensure this function stays strong. MSS has been available for a number of years, fuelled largely by the business process outsourcing trend and the proliferation of high-speed internet. However, many organisations have been slow to take up MSS because they are reluctant to hand over control of this function to an outsider. This has all changed with the economic downturn. Many boards are demanding a significant reduction in costs, lower capital expenditure and lower costs of ownership - and IT departments are typically first to come under the spotlight. Outsourcing security to an MSS provider is seen as a good way to achieve this. 'It allows costs to be transferred from capital expenditure to operational expenditure, reducing the need for depreciation of hardware and other assets, replacing them with predictable costs based on a subscription model,' said Paul Wood, a senior analyst with e-mail security services firm MessageLabs. By outsourcing the whole process and opting to pay a monthly fee instead, companies avoid the costly process of having to retain highly skilled security staff, eliminate the need to invest in security software, or appliances, and sidestep the costs of managing and reporting on their various systems. 'People costs are a huge hidden cost for companies doing IT security in-house,' said Wilfred Wong, vice-president of security solutions at CPCNet Hong Kong. 'Management overheads, such as training, turnover, ensuring qualification and people development, and keeping highly skilled security experts, are all challenges and costs that companies face when they are doing things themselves.' An additional factor driving the popularity of MSS is the increasingly sophisticated nature of the threats, and the complex solutions required to prevent them. As little as five years ago many companies would consider their network secure if it was protected by a firewall and antivirus software. Now, even with the addition of Intrusion Prevention and Detection Systems, anti-spam, IDS, virus updates, patch managements, endpoint security, network security and internet filtering systems - to name but a few - most organisations will tell you that they still feel unsafe. This is further complicated by the need to constantly update existing infrastructure, manage licences and generate reports and analysis from a number of platforms - all of which is skipped when the process is outsourced - according to MSS providers. The appeal of these factors has seen the MSS market boom in recent years. According to a report released by IDC late last year, the United States MSS market was valued at an estimated US$1.3 billion in 2007, an increase of 19.6 per cent over 2006. This figure is expected to increase to US$2.8 billion by 2012, representing a compound annual growth rate of 17.2 per cent. The global demand is so high that many large organisations, such as IBM, Cisco and others, have set up large service centres in India and China to cater to this. This is being offered on a 'software as a service basis (SaaS)', a model which many companies are increasingly becoming comfortable with thanks to the proliferation of products such as SalesForce. But while MSS may seem to be a panacea for all security and pricing woes, there are still areas where the service falls short. Many corporations, particularly in the finance industry, are not prepared to trust a third party with this function, especially as it may feel like they are not in control of their security infrastructure or able to make quick corrective action should a breach occur. As one IT executive, who did not want to be named, said: 'I'd rather be driving when we go over the cliff than sitting in the back seat.' This is exacerbated by the vanilla nature of many of these services, which may not give companies the granularity of service that they are looking for. Finally, the process of switching from in-house to outsourcing is not simple, and large companies looking to quickly switch over in order to save cash may find that more resources are needed in the short-term to achieve this handover. 'The current economic climate may make SaaS more attractive in the short-term as a means of reducing overheads and costs, but the businesses providing these services are also subject to the same economic conditions, so make sure you choose your vendor with care,' Mr Wood said. Mr Wong believes there is no such thing as complete security outsourcing, and companies and IT executives are still ultimately responsible for the security. The key is for companies to understand clearly what their needs are and to look at how MSS providers can specifically deliver on these. Their answer will determine if they should keep the function in-house, outsource it or consider a hybrid model. 'The chief information officer or the IT head will always be responsible for the overall IT security of the company. Based on our experience, we found that in enterprises where there is a high level of security consciousness, the chance for them to consider outsourcing is also high,' he said.