Experts agree that security is one of the toughest IT elements to outsource, but that isn’t stopping the practice from catching on in Canada.
While some may view IT security outsourcing as synonymous to handing an outsider the keys to your kingdom, an increasing number of organizations are finding value from entrusting their digital security to a third-party service provider.
As in many outsourcing ventures, the lack of in-house resources and expertise in the area of information security comes out as a top driver for companies to turn to managed service providers.
Outsourcers offer organizations capabilities that they would have otherwise spent millions of dollars on building and maintaining themselves. Outsourcers also bring to the table expert professionals that, again, would have cost companies a huge amount of investment to hire and retain in-house.
It is for these reasons that Toronto-based condominium developer Tridel turned to outsourcing, according to the company’s CIO, Ted Maulucci.
“In terms of security, I actually feel safer using someone else, because I know that [in our company] we have people doing multiple tasks at once. I can’t really afford to have one single, dedicated security expert,” explains Maulucci.
Tridel has outsourced the management and security of its Web servers, Apache and IIS (internet information server), and Exchange servers to Fusepoint Managed Services. Security patch management is part of that outsourcing agreement; a job that Maulucci says would have entailed maintaining a full-time security staff had the company deployed it internally.
Fusepoint manages Tridel’s two Web server locations: one in Mississauga, Ont. and the other in Montreal. One site serves as production site and the other a test site, but one can failover to the other seamlessly and securely, Maulucci says.
“When I go to the outsourced solution, I am getting 24/7 (monitoring service) which internally, would have been very, very costly to do,” says the Tridel executive.
Tridel is also beginning to outsource its spam filtering functions, which has become increasingly challenging for the condo builder to run internally, says Maulucci. “Right now there is a lot of time being spent on managing spam filters…and we’re finding that a lot of spam (messages) are getting through the filters.”
Looking up
Tridel is just one of many Canadian firms that are starting to outsource one or more IT security functions to third-party providers. This trend is giving the IT security outsourcing market a positive outlook, according to market research firm IDC Canada.
IDC is forecasting solid growth of about 18 per cent between 2005 and 2010 in the Canadian IT security outsourcing market, growing from $85 million in 2005 to $195 million in 2010, says Joe Greene, vice-president, IT security research at IDC.
“We are starting to see a fairly healthy uptake of IT security outsourcing services and the main reasons are access to expertise and financial reasons,” Greene says.
Another reason, says Nicole Stampatori, national practice executive for security, identity and privacy for IBM Canada, is the lack of competency in terms of keeping up with increasing IT security threats. IBM Canada provides managed security services in the areas of intrusion detection, antivirus, content filtering, anti-spam and firewall.
Although the adoption rate is taking an upward course, Greene says security outsourcing is “not for everybody at this point in time.” Organizations that deal with huge amounts of confidential and sensitive information, such as financial services and government institutions, may still show some reluctance towards security outsourcing and tend to keep security-related functions in-house, explains the IDC analyst.
A separate market study, however, indicates that such reluctance among financial institutions may be dwindling on a global level.
A survey by Deloitte’s Global Financial Services Industry group reveals close to 70 per cent of respondents from major financial institutions worldwide say they have outsourced at least one area of their information security functions. Of those, vulnerability management and intrusion detection came out as the most outsourced tasks, with 27 per cent and 25 per cent, respectively.
Vulnerability assessments involve periodic scans of the network and Internet environment to scout for security weaknesses. Intrusion detection and firewall monitoring, on the other hand, typically involve dedicated, 24-hour monitoring work that means full-time security staffers working in shifts.
“Rather than have three shifts monitoring the firewalls and intrusion detection systems, [companies] have outsourced that management part, which in some cases could be more cost-effective,” explains Nick Galletto, a partner at Deloitte’s security services in Toronto.
While there is increasing security outsourcing uptake, many of these activities are constrained within the context of perimeter defense. And that has to do with the maturity of this type of technology, says Serge Bertini, manager of security division for CA Canada.
“There is less risk in perimeter defense outsourcing because over the years we have learned all the issues and pitfalls of managing a firewall, we understand the technology extremely well, so when [a company] creates a contract with a particular outsourcer, they know what needs to be in the agreement,” Bertini explains.
The more intimate and sensitive security management functions, such as identity and access management, network access control and compliance management, tend to be kept in-house simply because they deal with protecting the core assets of a company, says Tom Moss, vice-president of technology for Bell Security Solutions Inc.
“There are security issues that go very deeply into the company and that probably will take some time before there is a level of comfort outsourcing more of that work,” explains Moss. He adds that what security outsourcing has done today is merely take some of the easier security tasks off the plate of the enterprise.
“Until you are able to get to a meaningful percentage [in providing solutions to] all of the security problems that enterprises have, you haven’t really eliminated the need to have a significant security team,” Moss says.
If there is one area of security that many industry experts agree should never be outsourced, it’s governance. This category includes policy establishment and management, as well as the ability to measure the effectiveness of security initiatives by requiring outsourcers to provide regular reports on the activities involving the outsourced service.
Deloitte’s Galletto says everything that has to do with strategy-setting should always remain in-house. “Make sure that you fully understand what the current landscape is, what the current security posture of your organization is and continuously get key indicators on where you are.”
SIDE BAR
The ABCs of SLAs
Entering into an IT security outsourcing contract can be very challenging, says Ted Maulucci, CIO at condominium builder Tridel. “Expect the legal (procedures) in the beginning to take a lot longer than you think,” notes the Tridel executive. Experts agree that crafting the service level agreement (SLA) for an IT security outsourcing deal could spell the difference between a successful venture and a failed one. ComputerWorld Canada spoke to security industry experts to flesh out the important ingredients that organizations need to create an effective SLA. Here’s what they had to say:
Know thyself. Start with looking at your own situation, says Joe Greene, IDC Canada vice-president for IT security research. Do a complete audit of where your company is and where you want to go with your security and IT infrastructure. Be aware of what expertise you have in-house and what necessary expertise your company may be lacking.
Ask why. If you are outsourcing a security aspect of your IT operations, you have to understand why there is a need to outsource, points out Serge Bertini, manager of the security division for CA Canada. Make sure you fully understand that specific security aspect that you are handing over to be managed by a third party in order to clearly define the kind of service you are looking for.
Compare notes. Look into multiple possibilities before zeroing in on an outsourcer, says Maulucci. Be clear in your request for proposals (RFP) in order to get an apples-to-apples comparison of vendor proposals. Getting references from other companies about a specific vendor is also a good idea, especially if it’s an independent review. “I tried not to use references provided by the vendor (and instead) I tried to go through my peer network to find good references prior to going with a specific outsourcer,” says Maulucci.
The devil is in the details. Make sure that your SLA outlines exactly what the outsourcer will provide and how it intends to provide that service, says Deloitte partner Nick Galletto. Companies that are not able to articulate and clearly spell out in the SLA the level of service they want from their outsourcer run the risk of incurring additional costs in the end. Conditions such as getting reports back from the outsourcer as to the activities occurring in that outsourced function, as well as change management procedures, are some of the important provisions that an SLA should have, says Galletto.
Do the due diligence. Liabilities in the event of a breach should be clearly spelled out in the SLA, says Galletto. “From the outsourcer’s perspective, they want to put as much limitation of liability as possible and to some extent, rightfully so,” he says. Both parties must make sure that the outsourcer exercises due diligence and proper controls as a way of mitigating the possible risks, which in the end, works out for both parties.
Ask the expert. The SLA is very important to the health of your security outsourcing deal. If you feel that you are not well-equipped with the knowledge and skills to craft an outsourcing agreement, talk to an expert, says Bertini.
When in doubt, don’t outsource. Security is the last thing a company should outsource, says Brian Bourne, CEO of Toronto-based security consulting firm CMS Consulting. Bourne points out that, to the extent possible, companies should be responsible for their own security. “When I talk to companies I tend to advise them that [security] is important to your business. If you’re going to outsource this, (realize that), sure, you can litigate if things go wrong, but you can’t undo what went wrong, and you may or may not have success litigating.”
One of the key things that companies should remember about outsourcing is that in the end, they are still responsible to their customers, says Deloitte’s Galletto. Regardless of what you are outsourcing, the onus and accountability still fall back to the organization. “Never assume that the responsibility changes hands with the outsourcer,” Galletto says.
QuickLink 069706