When it comes to outsourcing security functions to a third party, look before you leap. That was the advice of users andanalysts at the Infosecurity Conference and Exhibition in New York last week.
Despite the apparent management benefits that can be gained by handing over security functions to service providers,companies are asking for trouble if they don't pay close attention to what they outsource, the terms and conditions oftheir contracts and to whom they outsource, said conference attendees.
"Most companies tend to outsource before they have thought through what they want," said Steve Hunt, an analyst at GigaInformation Group, during a conference session on the topic. "To some degree, all they are doing is surrendering theirsecurity [to service providers]."
The concerns come at a time when a growing number of corporations are looking to hand over security tasks to serviceproviders. The market for managed security services is expected to top $US17 billion by the end of 2004 as a result of adeepening skills shortage and the complexity of managing enterprise security environments, according to InternationalData Corp.
The focus of many outsourcing arrangements is usually on protecting against viruses, worms and malicious hackers, ratherthan on addressing business concerns such as financial loss or a compromise of customer privacy as a result of asecurity breach, Hunt said.
"The whole concept has been on building a security bubble around all your IT assets," said Edward Carubis, CIO at NewYork City's Department of Health.
Most outsourced services are directed at building defences such as firewalls and intrusion-detection services from thenetwork perimeter in. Instead, the effort should be on "building out your defences from the inside" by focusing on eachinformation asset, Carubis explained.
It's also important to distinguish between tactical and strategic security functions when outsourcing, according toSusan Read-Miller, an analyst at eSecurity Online, a security services subsidiary of Ernst & Young.
For instance, a firewall that functions as the last line of defence in front of a vital database is strategic, but afirewall at the outer perimeter of a network isn't and may be outsourced, Hunt said.
He suggested that companies pay attention to the following things when outsourcing their security functions:
* Outsource only the tactical and temporary tasks. Any security function that involves the protection of strategicassets needs to be kept in-house.
* Review all terms and conditions as well as service-level agreements. Try to avoid long-term contracts.
* Avoid conflicts of interest when signing up with service providers. For instance, don't let firewall services behandled by the same vendor that provides intrusion-monitoring services. Use separate vendors for vulnerability analysisand penetration testing.
* Use due diligence. For example, before forking out large sums of money for vulnerability assessments, be sure to takeobvious steps such as patching software, ensuring strong passwords and closing open ports. Only then hire avulnerability assessment service to find out if anything has been missed.
* Check the vendor. Ask for references, and make sure the company has a specific understanding and knowledge of yourbusiness.