With security becoming increasingly complex to manage, formerly reluctant organisations are embracing outsourcing, says Rob Buckley.
Outsourcing has become a fact of life and the market is still set to grow, regardless of occasional scare stories about data theft in Indian call centres. Expensive and time-consuming to do in-house, managed security services have long been on the list of responsibilities for which many organisations turn to external suppliers.
And as the number of threats companies face is rising, so is the number of people signing on with a managed security services provider (MSSP). Gartner predicts compound annual growth of 14.9 per cent for the market, taking it from £422 million in 2004 to £860 million by 2009.
The boom in cyber crime and other threats on the internet, and the corresponding explosion in technologies to deal with them, have provided enough of an incentive for previously reluctant organisations to consider managed security, and for MSSPs to change the services they offer.
"A couple of years ago, the internet suddenly became full of rubbish," says Matt Darnell, IT manager at The Fabulous Bakin' Boys bakery in Witney. "Systems started grinding to a halt." Faced with the increasing risks to his company, which has grown rapidly and relies increasingly on the web and email, and without the budget, staff or time to cope with the situation in-house, he went to an MSSP. Darnell is now using intY's MailDefender managed service to rid the firm's emails of spam and viruses. He no longer has a spam problem and doesn't have to waste time on infected PCs.
It's a similar story for Martyn Croft, head of corporate systems at The Salvation Army. Although he describes administering two Check Point firewalls and looking after the concerns of individual PC users as the "meat and bread" to the charity's 24-strong IT department, the difficulty of managing content filtering and email led him and his team to use MSSP BlackSpider. "I'm not a big fan of outsourcing," he says. "But I wouldn't view this as outsourcing. It's an appliance."
These managers have decided to bring in MSSPs because they don't have the resources in-house and would be unable to afford to hire them in. Even larger companies find their budgets are unable to stretch to providing all the security services they require, particularly if they need staff who can react 24/7 across global locations (see case study).
The Fabulous Bakin' Boys and The Salvation Army are, to some extent, typical of the earlier adopters of MSSPs in that they use suppliers mainly for upstream filtering of their email or internet connection. They're also relatively small organisations with fairly small IT departments, many of whom see MSSPs as a way of getting rid of a problem and dealing with a skills deficit. "Five years ago," says Thomas Raschke, an analyst at Forrester Research, "there was a lot of enthusiasm on the part of clients.It was one way out of being responsible for your own security - you just outsource. You still see that in smaller and mid-size firms."
The age of compliance
However, as budgets thawed out from the bursting of the dotcom bubble, the overall trend changed too, with larger companies and those with greater needs than simple content filtering beginning to take advantage of the savings and management resources available from MSSPs. Even long-term holdouts, such as those in the government sector and financial services, have started to embrace the possibilities of MSSPs at all levels.
One reason for this is that they may be struggling to cope with the needs of compliance. With regulations imposed by the Government, the European Union, the US's SEC, the payment card industry and other bodies affecting UK organisations, many are finding they don't know what they have to do to be compliant, so hire an MSSP who knows both the legislation and best practice to help clean up their acts. This is particularly the case with larger enterprises, according to Chris Richter, head of security at IT services company Savvis.
The nature of the relationship between MSSPs and clients is changing too, as customers are starting to want more than basic protection. Paul Brown, group IT manager at healthcare recruitment agency Reed Health, was looking for something that would offer him protection from email threats, spam and malicious web content; look after his firewalling, virtual private networks (VPNs) and demilitarised zones; and protect him from anything else that could endanger his company.
He now uses Network Box's united threat management and managed security service to protect his company's two mirrored data centres from external threats. The centres provide the power for the company's thin clients, which are installed in all its branches. "I've always been very adamant about not using third parties," Brown says. "But I came to realise it's impossible to do everything yourself. The actual job of keeping firewalls up to date, reviewing logs, or setting up VPNs can be extremely boring, and to have someone skilled and reliable doing that as a job, isn't very cost-effective. You'd be paying £40,000 to £45,000 for a good security person, and it's costing me a lot less with Network Box."
He also wanted someone who could provide him with advice on security. "It's not just a client-supplier relationship. They're always suggesting things. It's like having an expert on the team that I couldn't otherwise afford."
The next level
The services an organisation will pick depend on its maturity, according to Bart Vansevenant, director of product management, MSS, at CyberTrust. Typically, firewalls and intrusion prevention systems will be the first for outsourcing, with SSL VPNs next on the list. Organisations might then consider ID management, transaction management and managed compliance. Garry Sidaway, head of product marketing, EMEA, at CyberTrust, says the effects of the Jericho Forum and deperimeterisation have been to boost interest in management of host devices. "The trend is towards application-level security monitoring: looking at where the data is and protecting that." Personal anti-virus and desktop security are also proving popular, he adds.
Patch prioritisation is also seeing increasing interest. With so many patches for a multitude of applications and operating system components being produced, organisations are now willing to pay MSSPs to prioritise patches, so that the most urgent releases are administered immediately. Ryan Kalember, MSS consultant at VeriSign, sees it as part of the "third phase" in the evolution of managed security services.
"MSS was originally about filling skills gaps and really only addressed small and medium-sized businesses," he says. "The next phase was about getting more value out of significant investments in technology, such as intrusion detection systems, which generates loads of alerts that are useless unless anyone looks at them and does something. The second evolution was when large companies got the religion. The third is more about being proactive and getting insight into areas."
As Reed Health's Brown shows, customers are increasingly looking for greater sophistication from their MSSPs. Medium-sized and larger organisations in particular want a relationship that is more of a partnership. "We don't get anywhere unless we have a relationship with customers and in-depth meetings," confirms Russell Poole, director of professional services at Netstore.
CyberTrust's Vansevenant says his company typically has monthly review meetings with clients, where both parties discuss what actions might be needed. This not only improves the organisation's security, it also helps to alleviate any worries the customer might have about handing security over to a third-party.
A question of trust
These concerns are not entirely unfounded. When US-based MSSP Pilot Network Services went bankrupt in 2001, more than 200 customers were forced to find new MSSPs or take security back in-house. At the time, Pilot was an eight-year-old company with around 400 staff, so seemed a reasonable bet. Yet it went under so swiftly, clients found themselves sending their own staff to man Pilot's operations centre while they tried to recover, or bringing in ex-Pilot employees as consultants to help recover their lost services. The history of IT is littered with the debris of outsourcing deals that went wrong and needed to be "backsourced", such as Sainsbury's deal with Accenture and JPMorgan Chase's IBM deal.
Clearly, as with any outsourcing service, some kind of back-up plan is prudent, even if, compared with 2001, there are now far fewer reasons for concern about the average MSSP. The slow but steady weeding out of minor players over the years and the acquisition of major players, such as RedSiren, ISS, NetSec and GuardedNetworks, by even larger players including Symantec, IBM and MCI has made the likelihood of a collapse far more distant.
The commoditisation of certain services, such as firewalling, also makes it easier to switch supplier when deals go bad, as do "in-the-sky" services that rely on various rules on remote systems, which can be easily duplicated.
A careful balancing act
But deciding how much of the company's security to hand over to an MSSP is itself part of Verisign's Kalember's third phase: risk management. Determining the exact balance between in-house and outsourced security and deciding what aspects of security to worry about are now necessary requirements of almost any IT security department's job.
"There are one or two things I would always hold out against outsourcing," says Mick Creane, a security consultant at BT. "One is policy. The other is responsibility." An organisation can outsource security to an MSSP, but only it can decide what to do in the event of an incident. "With any outsourcing deal, you have to understand the reasons why you're doing it, then set the objectives and requirements," warns Creane. "What are your crown jewels that you have to keep in-house? What are realistic service levels? How will you monitor them?"
As different kinds of threats emerge in the future, MSSPs are going to change the services they provide to match. Many will specialise, others will remain generalist, one-stop-MSSPs that will provide all the services a client needs. Whatever happens, the market for their services seems only likely to grow.
CASE STUDY: SMITHS
With five divisions including aerospace, specialty engineering and security screening, global engineering group Smiths's security needs vary from "the sublime to the ridiculous", according to Dave Southwood, group infrastructure and IT security manager. Its manufacturing division, which produces, among other things, seals for its aerospace products, clearly needs less security than divisions handling government contracts, and so had evolved security systems to match.
Six years ago, Smiths realised that the varying security arrangements across divisions were undermining those parts that had the tightest requirements. So the company chose to re-architect its security so that every division's network would have the same minimum standard as that needed by the most secure.
However, upon examining the staffing and skills levels required to provide this level of security, 24/7, across all its global offices, Smiths discovered that the cost would be prohibitive.
The company already had experience of outsourcing, having contracted MCI to look after its wide area network infrastructure. Smiths chose CyberTrust as its MSSP. Fundamental to the change was a reduction in the number of internet gateways from 150 to two to make it easier to control internet traffic. CyberTrust also set up firewalls, IDS, anti-virus and content filtering at the perimeter, all of which it manages.
"It's ideal for us," says Southwood. "Now, instead of chasing around updating AV and perusing firewall logs, we can spend more time looking at processes."
Southwood advises that to benefit from an MSSP, an organisation has to be happy with the provider, has to know what it wants and has to lay down an explicit list of requirements and service-level agreements from the beginning.
IBM AND ISS: WISE MOVE?
If there's one common theme to analysts' reactions to IBM's planned $1.3 billion (£700 million) acquisition of security vendor ISS, announced in August, it's slight bafflement. Khalda Parveen, senior research analyst at Gartner, comments: "I get it from the services perspective, but not the product perspective."
Similarly, Thomas Raschke at Forrester Research is sceptical of some parts of IBM's acquisition, yet thinks it's a good move on balance. "The threat protection angle was something IBM was lacking," he says. "Now the company is set to emerge as the most complete vendor in the security space."
Both Raschke and Parveen believe we'll have to wait until IBM has made clear what its plans are, particularly in terms of how it integrates ISS's products into its own portfolio, before we can predict what the company will do next.
Still, they expect a string of consolidations and acquisitions in the next few years. Some of this will purely be as a result of the maturity of the market. "If you're a successful MSSP and want to avoid being acquired, you'll probably have to focus on either a specific solution or vertical," says Parveen. "But it still doesn't mean you won't get bought."
But some acquisitions will be in response to IBM, with HP likely to look again at the MSS market. It may also prompt new entrants into the sector, she adds. "There's a need to get into IT services in general by telecoms companies, and with security a top concern for CIOs, this is going to be core."