Outsourcing in IT security

an article added by: Frank C. at 06032007


Online security :: Outsourcing in IT security ::

 French | Spanish | Portuguese | Italian | German | Japanese | Chinese | Korean | Russian | Arabic Bookmark and Share

Beyond ‘off the shelf’ Despite concerns about security, outsourcing can still make a lot of sense in the IT sector, writes Ken Watt from INSL.

Breaking with the past Security has traditionally been something that organisations have kept close to their chests – an internal issue not to be entrusted to outsiders. In terms of physical security this instinct has softened over recent decades as contract guards, commercial alarm monitoring stations and secure couriers have taken the place of internal security services. Information and IT security, however, only began to embrace outsourcing very recently but its take-up is accelerating rapidly.

Outsourcing in IT security Whilst general IT spend is under extreme pressure, security spend is widely predicted to maintain growth, with the outsourcing of services leading the way. By 2005, Gartner expects 60 per cent of US enterprises to outsource some form of perimeter security monitoring. Research by Forrester predicts that spending growth for outsource services will outstrip that of other security services by as much as 200 per cent over the same period. An Ernst and Young global information security survey in 2002 reported that 27 per cent of UK companies plan to outsource their security activities by the end of 2003.

Why the change? This growth reflects changing attitudes as well as a need to control cost. In the background is an increasing awareness of security issues and the potential business impact of incidents – most significantly amongst senior and executive management. Whilst IT security used to be a fringe issue for specialists and ‘geeks’, it is now very much in the mainstream and has the attention of strategists and budget holders. Underlying this growing awareness is a real increase in the level of incidents. CERT (the Computer Emergency Response Team – the leading global organisation for gathering and disseminating incident data) shows incident levels rose by over 200 per cent between 2000 and 2001 and by 300 per cent between 2000 and the third quarter of 2002. The DTI’s Information Security Breaches Survey 2002 reports that hacking and virus attacks are costing £10 billion a year and that 78 per cent of large-cap companies have experienced some kind of electronic attack in the past year, with the average cost of a security breach at £30,000. Other industry surveys draw similar conclusions.

Identifying gaps In a climate of sharply increasing risk an effective response is critical. Quite apart from questions over funding, organisations must assess the level and suitability of internal resources and whether existing staff can cope with the technical and operational demands of a growing and increasingly complex threat. Can a busy IT team give security adequate attention? If gaps exist, can the organisation find skilled and experienced staff and, if so, can it afford to hire them? Surveys show consistently that, after budgetary constraints, companies see lack of skilled people as their most significant challenge. The range of expertise required in security often implies a breadth and depth of skill far beyond the means of all but the very largest companies. Discipline include risk assessment, policy and strategy, design, technical implementation, configuration and operations – covering firewalls and networks, applications and data security, desktops and user management and a host of other fields. The Forrester report referred to previously noted that nearly 50 per cent of companies surveyed saw lack of skilled people as a barrier to implementation of necessary security programmes.

Making the business case Maintaining effective security requires very specialised skills, dedicated effort and, ideally, round-the-clock vigilance. This involves significant cost (hardware and software, ongoing software subscriptions, hardware maintenance, supplier technical support, staff training, monitoring operations support) across a range of equipment (firewalls, virus scanners, content filters, reporting tools, intrusion detection systems etc). Sadly, costs don’t scale linearly with the size of company – so the choice for smaller companies is either to pay heavily for comprehensive security or to accept compromises. Outsourcing can offer the economies of scale enjoyed by the largest companies in a package that is priced for the smaller organisation. For as little as the cost of half a full-time employee, it should be possible for a smaller organisation to have a fully managed and monitored perimeter security solution, with access to a team of specialists where necessary.

Here to stay The world has moved on – information technology now pervades businesses of all sizes, so security has become a business rather than a technical issue. The complexity of both threat and response is leading companies to look outside for solutions. All the signs are that the outsource security market is here to stay and that its growth is set to continue over the coming years. The challenge for businesses is becoming one of supplier selection and management – something they ought to be more comfortable with. INSL was founded in 1997 to fulfil a basic need in large and medium-sized enterprises for informed and practical advice on the safe connection of their networks to the Internet, to the networks of business partners, to other external networks and to their customers. The company provides advice and help to customers on security policy, strategy and technical design, backed by practical skills in implementation and technical support. A carefully developed information security strategy is essential to any organisation, regardless of its size or the nature of its business. INSL provide qualified, experienced consultants and engineers for the design and implementation of security solutions in commercial environments. They are not only technicians but also experts in their field, capable of understanding the culture of the client’s business and delivering appropriate security infrastructure and service. For further information contact: Internetworking Strategies Ltd, 100 Preston Crowmarsh, Wallingford, Oxon OX10 6SL. Tel: +44 (0)1491 820900; Fax: +44 (0)1491 820 901; Email: info@insl.co.uk; Website: www. insl.co.uk

legal disclaimer

Our website is not responsible for the information contained by this article. Web-articles is a free articles resource.
Suggestion: If you need fresh, daily updated content for your website, feel free to use our service. Click here for more information.

related articles

1. Cyberliabilities in the workplace
Richard Woudberg, legal counsel at Integralis, looks at the balance between freedom and control in the electronic workplace. The rise in electronic methods of communication such as email and the Internet have provided employees with a greater degree of flexibility and freedom. However, employers wish, and indeed are often compelled by legislation, to maintain control over their employees, and the means by which they can do so can be increasingly intrusive. The need to strike a balance between the concerns of ...

2. Data complacency
Is the proliferation of information fostering a dangerous shift in corporate mentality? Humphrey Browning, Head of Technical Consultancy at Nexor, looks at how networks can inadvertently lead to mismanaged data and undervalued information. According to a report by Jupiter Research,1 49.5 per cent of CIOs (chief information officers) considered the sensitivity of their company’s data as ‘low’. In a world where the threat of information security breaches is an everyday considerat...

3. Cybercrime and The marketing dimension
Information security can be both an enabler and a destroyer of value, writes Michael Harrison, Chairman of Harrison Smith Associates. What ‘marketing aspects’? Marketing surrounding the ‘e-world’ should be simple – everyone will utilise ‘e’, therefore turn your communications to directing prospects and clients to the appropriate website, and to your email address, and carry on. Why bother about marketing the methodology? Why not stick to marke...

4. Information Security Management System
The expectation: experience equation Whatever we do, we cannot claim to have ‘e-trust’ and ‘e-confidence’ unless we have genuinely got it. Remember that many so-called ‘hackers’ carry out attacks just to be able to say that they have got through a specific organisation’s defences. You may claim to be secure – they may well try you out! To have an Information Security (Assurance) Management System (ISMS or IAMS) in place and working properly will provide you with the...

5. Online Security and Threats to email
Points of exposure Email There is a gaping hole in every organisation that exposes them to untold risk: email. Indicii Salus reports on the dangers of unprotected emails and reviews how best to safeguard their confidentiality, integrity and authenticity. Email is one of the most simple and effective communication tools available. It is quick, convenient and cheap, but unless used properly, fundamentally insecure. It is as public as a postcard and leaves a written r...

6. Reducing the risks and eliminating the threats in our emails
Whilst it is true that information security has become a greater priority in the last two years, especially at board level, the threats have also increased substantially. Modern cryptography techniques and services can add substantial benefits to electronic business arrangements. These techniques can scramble data to avoid unauthorised disclosure, and also to ensure the integrity, authenticity and legitimacy of electronic communication records and computerised transactions. Whether or not businesses in the UK actually ge...

7. How to be protected against viruses transmitted over networks
The threat Today security is a bigger problem than ever before. PCs are everywhere; every organisation has some form of Internet access, and home users have permanent connections through broadband, but user education is still relatively limited. This is partly due to the multitude of attack methods and the frequency of attacks. Users are required to use and maintain anti-virus programs to protect against viruses transmitted over networks, via email, via dangerous ActiveX components and through a host...

8. Key security vocabulary explained
VPNs: virtual private networks create a secure tunnel between two points, typically a corporate network central office and a remote branch office. The tunnel passes encrypted (scrambled) data over the public Internet, then decrypts it at the destination point. This protects data from hackers on its path over the Internet, and renders the data unreadable during its journey. Denial of service: This is a hacker-based attack on a web server that prevents customers/visitors from gaining access to a...

9. Protecting online privacy
It pays to observe data privacy, says Simon Stokes at Tarlo Lyons Solicitors, not just to avoid legal liability, but to enhance the value of the data itself. In recent years laws protecting the privacy of individuals when personal data about them is stored or processed have proliferated internationally. These laws deal with data privacy and (as it is called in Europe) data protection. All UK e-commerce businesses must comply with data protection law. This is not just to avoid legal liability; by paying c...