IT Burden Forces Security Outsourcing

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More .

While outsourcing is on the rise in high-tech areas like programming and
data center maintenance, IT administrators have remained leery of taking
care of network security anywhere but in-house.

But those ideas may finally be changing.

Keeping viruses at bay. Repelling hacker attacks. Ensuring that prying eyes
aren’t getting a look at private information. All of these functions are
critical to keeping a business guarded and out of financial trouble.

Security is so critical that IT executives have wanted to keep it in-house
where they can keep an eye on what’s happening in that realm and make sure
that their best people are accountable for it.

Security, however, is outgrowing many enterprise IT shops. There are too
many firewalls to watch. Too many patches to download and install. Too many
reports to read and analyze.

Administrators have needed more help, but their companies can’t always
afford to hire more technical people to fill the bill. That’s when they
begin to look outside the company. And as more companies turn to
outsourcing, it inspires others to brave the world of third-party service
providers and hand over their security needs to someone else.

”We know what we’re good at and we know what we’re not good at,” says
Chris Warner, founder and CEO of E2Citizenship.com, a 12-year-old
organization that provides community-specific information through networks
such as AMBER Alert 911, Earth 911 and Warning 911. ”We outsourced our
security to Symantec because they are good at what they do and they are able
to look for problems before they happen. We couldn’t have done that.

”This is the best tool for us on a 24/7 basis to keep our system secure,”
adds Warner.

E2Citizenship.com, which is based in Scottsdale, Ariz., started out running
networks like Earth 911 and Pets 911, online sites where people could get
information on where to recycle, where to adopt pets and beach quality
ratings. Now Warner and his colleagues are working to move the Amber Alert
system, an emergency alert system for abducted children, from a network
based on television alerts to an Internet-based system that connects law
enforcement agencies and other organizations around the country.

Warner says
the old system used to take an hour to an hour and a half to be activated,
and now alerts can be shot out in a matter of minutes.

But this new high-tech network needs to be guarded — tightly.

”With Pets 911 and Earth 911, security was somewhat important, but with
Amber Alert, it’s outrageously important,” says Warner. ”This network
activates hundreds of other networks and will potentially alert millions of
people. There has to be no possibility of someone hacking into this. If
someone could trigger a false Amber Alert, it would be devastating. You
can’t cry wolf and have this be effective.”

A lot of companies are turning to outsourcing to get the quality of security
that they couldn’t provide in-house, says Phebe Waterfield, a research
analyst with the Yankee Group, a Boston-based industry analyst firm.

”People had been really concerned about outsourcing security, but it seems
they are getting accustomed to the idea,” says Waterfield, adding that
outsourcing firewalls and scanning services has become quite common. With
both of these services, there are clear guidelines on how they are to be
managed. Clear policies make it easier to hand the work over to someone
else.

With intrusion detections systems, though, it becomes a little murkier.

What issues do you respond to? How do you rate pings against the perimeter?
They are dicey issues that make it more difficult to hand over that service
to a third party and know that it’s being handled exactly the way you’d
want — since you may not be clear on how you want it handled in the first
place.

”We’ve found that for every intrusion detection system outsourced, there
are seven firewalls being outsourced,” says Waterfield. ”Consider if
you’re a large enterprise running 10, 15, or 20 firewalls, that’s a lot of
overhead. It can save you a lot of money by giving it to a vendor to do.”

Retaining Control

Becoming comfortable with the idea of outsourcing your network security
means realizing that in the best situation, you’re really not giving up
control — just a lot of the hands-on work.

”We prefer to call it co-sourcing,” says Grant Geyer, vice president of
global management security services for Alexandria, Va.-based Symantec, a
major player in the enterprise security market. ”A lot of times, especially
in large enterprises, you need the expertise of security people who do this
24 hours a day. You need to feel that when you pick up the phone you’re
calling the guy down the hall. That requires a special relationship.”

Geyer says most companies turn to them for round-the-clock analysis of
what’s happening on their network, as well as what is happening around the
Internet. Companies often retain their own security staff to develop
policies and ensure effective implementation of those policies.

”They rely on a company like Symantec to do the heavy lifting that is very
people intensive and can be expensive for a company to do themselves,” says
Geyer. ”A single firewall or a single intrusion detection system could send
off millions of alerts a day, and all of them need to be analyzed to figure
out if there’s a hacker trying to break in or just benign traffic that might
look bad.

Continue on to find out how the Screen Actors Guild protects critical information, and how offshoring fits into the outsourced security mix.

Looking Outside for Help

When the Screen Actor’s Guild-Producers Pension and Health Plans developed an interactive Web site that allows participants, often big-name movie stars, to access their health and
pension information 24 hours a day, executives knew they needed another
company to do the heavy lifting when it came to security.

The Pension and Health Plans arm of SAG, a labor union for performers, was not only dealing with ensuring the privacy of a lot of well-known people, who draw hackers like flies to honey, but it also was faced with federal regulations, such as HIPPA, which
regulates security for health information. Amanda Bernard, executive project
manager at SAG-Producers Pension and Health Plan, says she knew it was all more than they could handle in their own IT shop.

”We had several big security drivers,” says Bernard, who chose to
outsource her work to Symantec. ”We went looking for a vendor we could
develop a relationship with and maintain it. Could we get everything we want
from them?

”We didn’t want someone who would be notified by pager that there was a
problem and then 20 minutes later they’re coming in to see what the problem
was,” she adds. ”We wanted someone who was monitoring our firewalls and
intrusion detection. We wanted someone on top of it all.”

Offshoring not an Easy Security Choice

While many CIOs consider moving their security work outside the company,
most still are hesitant to move such critical work offshore. They don’t want
their security work being done that far away, especially in such a turbulent
political climate.

But the Yankee Group’s Waterfield warns that administrators need to make
sure they know exactly where their outsourced work is being done, because
some service providers offshore the work that they’re taking in.

”An enterprise might have offshored functions if their provider offshores
functions,” she points out. ”I think it’s important that companies are
aware of it. Companies need to do due diligence on the provider. Where are
they physically located? Who is doing the work? How trained and experienced
are the people doing that work?”

Geyer says that while Symantec has six operation centers worldwide, they do
the outsourced work in the country where the client company is based.