Bruce Schneier, Chief Security Technology Officer BT, writes ahead of the Infosecurity Europe show this month.
More and more companies are outsourcing their network security. This trend is driven by one truism: there is no other way to deal with the shortage of skilled computer security experts, the increasing requirements for businesses to open their networks, and the ever-more-dangerous threat environment. For the Internet to succeed as a business tool, security has to scale. Outsourcing is the way to achieve that.
But if the decision to outsource network security is a difficult one, the decision of precisely what to outsource seems impossible. Managed security service companies can monitor your networks, manage your security devices, scan your networks, implement your security policies, install your security devices, and more. Other companies offer similar services, often tied to particular products or suites of products. And sometimes outsourced network security comes in a package with other outsourced network services.
On one hand, the promises of outsourced security are very attractive: the potential to significantly increase your network’s security without hiring half a dozen people or spending a fortune is impossible to ignore. On the other hand, giving over your network security to another company feels inherently risky.
In reality, there’s no dichotomy. Hiring a specialist organisation to handle your network security can be less risky than building your own expertise inside your company. And it most definitely can be both cheaper and more effective. You already understand why; you just might not have thought of it in terms of network security.
Arguments for outsourcing
The primary argument for outsourcing is financial: a company can get the security expertise it needs much more cheaply by hiring someone else to provide it. Take monitoring, for example. The key to successful security monitoring is vigilance: attacks can happen at any time of the day and any day of the year. While it is possible for companies to build detection and response services for their own networks, it’s rarely cost-effective.
Staffing for security expertise 24 hours and 365 days a year requires five full-time employees—more, if you include supervisors and escalation personnel with specialized skills. Even if an organization could find the budget for all of these people, it would be very difficult to hire them in today’s job market. But if you think hiring them is difficult, retaining them is an even harder challenge. Security monitoring is inherently erratic: six weeks of boredom followed by eight hours of panic, then seven weeks of boredom followed by six hours of panic. Attacks against a single organization don’t happen often enough to keep a team of the needed calibre engaged and interested. This is why outsourcing is the only cost-effective way to satisfy the requirements.
Medical care is a prime example of outsourcing that we can use for comparison. Everyone outsources healthcare, in the sense that we don’t act as our own doctor, nor does anyone hire a private personal doctor. Certainly cost is a factor in our decision to outsource, but there’s more to it than that. I may only need a doctor twice in the coming year, but when I need one I may need him immediately, and I may need specialists. Out of a hundred possible specialties, I may need two of them—and I have no idea beforehand which ones. I would never consider hiring a team of doctors to wait around until I happen to get sick, so I outsource my medical needs to my clinic, my emergency room, my hospital. Similarly, it makes sense for a company to outsource its network security needs to a variety of experts.
The benefits of security outsourcing are enormous. Aside from the aggregation of expertise, an outsourced monitoring service has other beneficial economies of scale. We can more easily hire and train our personnel simply because we need more employees and we can build an infrastructure to support them. We can learn from attacks against one customer, and use that knowledge to protect all of our customers. And from our point of view, attacks are frequent. Vigilant monitoring means keeping up to date on new vulnerabilities, new hacker tools, new security products, and new software releases. We can spread these costs among all of our customers.
To return to our medical care analogy, you get better medical care from a doctor that sees patient after patient, learning from each one. To an outsourced security company, network attacks are everyday occurrences and its experts know exactly how to respond to any given attack, because in all likelihood they have seen it many times before.
What to outsource
There are, however, limits on what you should outsource. The bottom line is that you won’t outsource everything, because some things just don’t outsource well. Things that don’t outsource well are often too close to your business, or they’re too expensive for an outsourcing company to deliver efficiently, or they simply don’t scale well. Knowing the difference is important.
Think about healthcare again. We all know what aspects of medical care we like: the ambulance picks us up in seconds and rushes us to the hospital, a team of medical experts spares no expense in running tests to figure out what’s wrong and in doing whatever it takes to cure us. And we all know what aspects we don’t like: ill-equipped and ill-staffed hospitals, HMOs telling us that we can’t have that particular test or that a specialist isn’t warranted in this case. The aspects of outsourced healthcare we like involve immediate access to experts. Any medical emergency requires experts, and the faster they can pay attention to us, the better off we’ll be. The aspects of outsourced healthcare we don’t like involve control of the process. Our healthcare is our responsibility, and we don’t want someone else making life and death decisions about us. Network security is no different. Outsource expert assistance: vulnerability scanning, monitoring, consulting, forensics. Don’t outsource control of the process.
An IT specialist can monitor networks. It can manage firewalls, IDSs, and IPSs and provide vulnerability scanning, e-mail scanning, and "clean-pipe" Internet connections. It has the expertise to deal with compliance issues. It can build a whole new security infrastructure for you from the ground up. In short, an outsourced IT specialist can take the problems of network security off the backs of a corporate IT department and let them focus on their strategic decisions.
What it cannot do is determine how an organisation’s IT security interacts with its business. For example, when a hacker is inside a corporate network, only the organisation can tell what the business ramifications of different responses are. An IT specialist can detect an insider attacking your network and find out what they are doing, but they won’t know whether he’s malicious or performing authorized testing. Outsourced experts work best when they work with their customers, combining expertise with their knowledge of the business processes.
How to choose
Choosing an outsourcing partner is difficult, because it’s hard to tell the difference between good computer security and bad computer security. But by the same token, it’s hard to tell the difference between good medical care and bad medical care. If we’re not health experts ourselves, we can sometimes be led astray by bad doctors that appear to be good. So how do you choose a doctor? Or a hospital? I choose one by asking around, getting recommendations, and going with the best I can find. Medical care involves trust; I need to be able to trust my doctor.
IT security outsourcing is no different; you should choose a company you trust. To determine which one, talk with others in your industry or ask analysts. Go with the industry leader. In both security and medical care, you don’t use a little-known maverick unless you’re desperate. Watch companies that have conflicts of interest. Some outsourcers both sell products and offer managed security services. This worries me. If the service arm finds a problem with one of its products on my network, will the company tell me, or try to fix it quietly? If they discount their services in an attempt to sell products, who does their services division really work for?
In any outsourcing decision that involves an ongoing relationship, the financial health of the outsourcer is critical. Look for companies that are leaders in their field, have a strong history of security services, and don’t try to do everything.
Future of outsourcing
Modern society is built around specialization; more tasks are outsourced today than ever before. We outsource fire and police services, government (that’s what a representative democracy is), and food preparation (restaurants). In general, we outsource things that have one or more of three characteristics: they are complex, important, or distasteful. In business, we outsource tax preparation, payroll, and cleaning services. Outsourcing security is nothing new: all buildings hire another company to put guards in their lobbies, and every bank hires another company to drive its money around town.
Computer security is all three: complex, important, and distasteful. Its distastefulness comes from the difficulty, the drudgery, and the 3:00 a.m. alarms. Its complexity comes out of the intricacies of modern networks, the rate at which threats change and attacks improve, and the ever-evolving network services. Its importance comes from this fact of business today: companies have no choice but to open up their networks to the Internet.
Doctors and hospitals are the only way to get adequate medical care. Similarly, outsourcing is the only way to get adequate security on today’s networks.
BT Global Services is exhibiting at Infosecurity Europe 2009, the industry event on April 28 to 30 in its new venue Earl’s Court, London. The event provides a free education programme and exhibitors showcasing new and emerging technologies. For further information – visit
