Beyond ‘off the shelf’ Despite concerns about security, outsourcing can still make a lot of sense in the IT sector, writes Ken Watt from INSL.

Breaking with the past Security has traditionally been something that organisations have kept close to their chests – an internal issue not to be entrusted to outsiders. In terms of physical security this instinct has softened over recent decades as contract guards, commercial alarm monitoring stations and secure couriers have taken the place of internal security services. Information and IT security, however, only began to embrace outsourcing very recently but its take-up is accelerating rapidly.

Outsourcing in IT security Whilst general IT spend is under extreme pressure, security spend is widely predicted to maintain growth, with the outsourcing of services leading the way. By 2005, Gartner expects 60 per cent of US enterprises to outsource some form of perimeter security monitoring. Research by Forrester predicts that spending growth for outsource services will outstrip that of other security services by as much as 200 per cent over the same period. An Ernst and Young global information security survey in 2002 reported that 27 per cent of UK companies plan to outsource their security activities by the end of 2003.

Why the change? This growth reflects changing attitudes as well as a need to control cost. In the background is an increasing awareness of security issues and the potential business impact of incidents – most significantly amongst senior and executive management. Whilst IT security used to be a fringe issue for specialists and ‘geeks’, it is now very much in the mainstream and has the attention of strategists and budget holders. Underlying this growing awareness is a real increase in the level of incidents. CERT (the Computer Emergency Response Team – the leading global organisation for gathering and disseminating incident data) shows incident levels rose by over 200 per cent between 2000 and 2001 and by 300 per cent between 2000 and the third quarter of 2002. The DTI’s Information Security Breaches Survey 2002 reports that hacking and virus attacks are costing £10 billion a year and that 78 per cent of large-cap companies have experienced some kind of electronic attack in the past year, with the average cost of a security breach at £30,000. Other industry surveys draw similar conclusions.

Identifying gaps In a climate of sharply increasing risk an effective response is critical. Quite apart from questions over funding, organisations must assess the level and suitability of internal resources and whether existing staff can cope with the technical and operational demands of a growing and increasingly complex threat. Can a busy IT team give security adequate attention? If gaps exist, can the organisation find skilled and experienced staff and, if so, can it afford to hire them? Surveys show consistently that, after budgetary constraints, companies see lack of skilled people as their most significant challenge. The range of expertise required in security often implies a breadth and depth of skill far beyond the means of all but the very largest companies. Discipline include risk assessment, policy and strategy, design, technical implementation, configuration and operations – covering firewalls and networks, applications and data security, desktops and user management and a host of other fields. The Forrester report referred to previously noted that nearly 50 per cent of companies surveyed saw lack of skilled people as a barrier to implementation of necessary security programmes.

Making the business case Maintaining effective security requires very specialised skills, dedicated effort and, ideally, round-the-clock vigilance. This involves significant cost (hardware and software, ongoing software subscriptions, hardware maintenance, supplier technical support, staff training, monitoring operations support) across a range of equipment (firewalls, virus scanners, content filters, reporting tools, intrusion detection systems etc). Sadly, costs don’t scale linearly with the size of company – so the choice for smaller companies is either to pay heavily for comprehensive security or to accept compromises. Outsourcing can offer the economies of scale enjoyed by the largest companies in a package that is priced for the smaller organisation. For as little as the cost of half a full-time employee, it should be possible for a smaller organisation to have a fully managed and monitored perimeter security solution, with access to a team of specialists where necessary.

Here to stay The world has moved on – information technology now pervades businesses of all sizes, so security has become a business rather than a technical issue. The complexity of both threat and response is leading companies to look outside for solutions. All the signs are that the outsource security market is here to stay and that its growth is set to continue over the coming years. The challenge for businesses is becoming one of supplier selection and management – something they ought to be more comfortable with. INSL was founded in 1997 to fulfil a basic need in large and medium-sized enterprises for informed and practical advice on the safe connection of their networks to the Internet, to the networks of business partners, to other external networks and to their customers. The company provides advice and help to customers on security policy, strategy and technical design, backed by practical skills in implementation and technical support. A carefully developed information security strategy is essential to any organisation, regardless of its size or the nature of its business. INSL provide qualified, experienced consultants and engineers for the design and implementation of security solutions in commercial environments. They are not only technicians but also experts in their field, capable of understanding the culture of the client’s business and delivering appropriate security infrastructure and service. For further information contact: Internetworking Strategies Ltd, 100 Preston Crowmarsh, Wallingford, Oxon OX10 6SL. Tel: +44 (0)1491 820900; Fax: +44 (0)1491 820 901; Email: info@insl.co.uk; Website: www. insl.co.uk