Security Outsourcing Melissa Karolewski

Overview Introduction Definitions Offshoring MSSP Outsourcing Advice Vendors MSSPs Benefits & Risks Security Audits Cyberinsurance Some Popular MSSPs Graphs & Charts Conclusion References

Introduction Outsourcing can sometimes be critical for a business in order to maintain company objectives. Many pros and cons to outsourcing security. Can cost up to 50% less than in-house security. Still is not known whether outsourcing security is beneficial or hazardous.

What is outsourcing? Delegation of non-core operations or jobs from internal production within a business to an external entity (such as a subcontractor) that specializes in that operation. Outsourcing is a business decision that is often made to lower costs or focus on competencies. (Wikipedia, 2006)

Other Definitions Offshoring: transferring work to another country, often overseas is also a type of outsourcing. Common type of outsourcing vendor is Managed Security Service Providers (MSSP)

Why Outsource? Cost Lack of Qualified Individuals Reliability

Security Areas that are Outsourced Intrusion Detection (IDS’s) Firewalls VPNs Security monitoring Incident management Emergency response and forensic analysis Vulnerability assessment Penetration testing Anti-virus Content filtering services Information security risk assessments Data archiving and restoration On-site consulting

Outsourcing Advice Involve department staff in application outsourcing decisions. Compare variable in-house costs with fixed outsourcing costs. Evaluate multiple vendor quotes for security, reliability and problem resolution. Prepare to work with emerging companies and have contingency plans. Consider the social dynamics of outsourcing a workforce vs. a company-career model. Evaluate global vs. national outsourcing for cost and business process. Consider application outsourcing for upgrading platforms and adding new capability. Use tools to standardize and manage outsourcing.

Managed Security Is On The List What's the likelihood your company would outsource the following security services? Firewalls Antivirus software Intrusion detection VPNs Use/likely to use16%13% 24% Unlikely/will never use 69%74%72%62% Don't know15%13%15% DATA: HURWITZ GROUP SURVEY OF 79 COMPANIES WITH MORE THAN $10 BILLION IN REVENUE

Benefits of Security Outsourcing Cost Can cost up to 1/2 as much. Recent data points to only a 15% savings. “Establishing a solid cyber incident response team means hiring approximately 18 employees and making an initial investment of almost $6 million, according to statistics from Gartner, an international IT research firm.”(Lawson, 2000) Vendor can provide: Adequate Staffing Well Trained Individuals Better facilities Connection with law enforcement. 24/7 Monitoring Focused Objective and Plan Security Awareness

Risks of Security Outsourcing Possibility of dependence Partnership Failure Lack of communication Legal Issues Trust Must have trust in company Signed Confidentiality Agreements

Choosing a Good Vendor Choose a vendor that requires top-secret clearance. If they work for the government, then they are probably reputable. Background Checks Research the Company Other companies experiences

Security Vendors Charge an average of $300 an hour. Some are just reformed hackers MSSP Managed Security Service Providers Symantec AT&T SecureWorks ISS.net

MSSP a company that handles network security services (such as intrusion detection and prevention, spam blocking and firewall capabilities) for its clients. MSSPs are outsourcing providers. Provides services in areas that companies wish to outsource security. Benefits and Risks, listed above.

Continued Evaluation of a MSSP Security Audits systematic evaluation of the security of a company's information system by measuring how well it conforms to a set of established criteria. often used to determine regulatory compliance, in the wake of legislation HIPAA, the Sarbanes-Oxley Act, and the California Security Breach Information Act (Security Audit, n.d.)

Cyberinsruance Covers a number of areas not normally spelled out in traditional policies. Can be thought as a means of outsourcing, since it is a “written” protection from an outside vendor. Further protect security. Insurance discounts. Can cover insider attacks.

Popular MSSPs Symantec Offers security packages for all computer users, from personal use to small business and enterprise use. MSS services offered: Firewall/VPN Intrusion Detection Integrated Security Appliance SecureWorks Offers many types of protection. SC Magazines “Best Intrusion Protection Award” NSS approved award ISS.net Offers many services Has been around since 1995 SysTrust

Symantec

SecureWorks

ISS.net

Table 1: Participating Providers Chart [1] [1] [1] Adapted from:

The KPMG Global Information Security Survey 2002

Conclusion Security outsourcing is still a developing field. It is still unknown if the benefits outweigh the risks. A way to ensure a vendor is reputable is to look for clearances. Security outsourcing will continue to be an importance to the industry.

References _outsourcing_your_small_business_needs.mspx