The decision to outsource IT systems is often made on the basis of cost and convenience. In the security game, however, outsourcing has become a necessity.
Information security has become an issue no executive can afford to ignore. It is no longer a subject restricted to the hallowed halls of the IT department, but has become an integral facet of good corporate governance. And no longer is it something that companies can manage on their own, effective risk management processes require organisations take drastic steps to control data access and availability.
Of course, certain companies, such as banks are loathe to outsource their security, for obvious reasons. On the whole, however, buying security services from outsourced providers is an accepted and in the opinions of some, necessary part of doing business.
Patrick Evans, regional director of Symantec Africa says information security has simply become a cost of doing business in today's world. Organisations must assess the risk management implications of their business practices and decide what to do to mitigate that risk in accordance with the company's core business. In some instances, this will mean handling certain security processes in-house, while an external managed security service provider will deal with others.
Patrick Evans, regional director of Symantec Africa
Clint Carrick, CEO of Carrick Holdings warns that the decision to go it alone or outsource is dependent on more than just cost. Security is a partnership and its effectiveness is directly related to shared risk, policy application, as well as a proactive approach to the balance between people and technology.
Clint Carrick, CEO of Carrick Holdings
"Many people are under the misperception that outsourcing to a security partner equates to handing over the entire risk of the organisation. In fact, the true value of a trusted security partner is not only derived from direct services, but in helping to spread awareness and appreciation of best security practices throughout the company."
"IT security is not something that can be purchased, installed and then be expected to secure an environment," says Dries Morris, director of Securicom. "The security market is a constantly moving and evolving entity that needs 24x7 monitoring. There is often an overemphasis on security products when the focus should really be on the total solution."
Brett Casey and Dries Morris of Securicom
"The system works best when all stakeholders participate," concurs Carrick. "Technology can take an organisation to a certain level from the point of view of safety and protection, and while the knowledge and understanding of security software has increased substantially, there is still a human element involved in technology integration and use."
The point all players agree on, although one may expect them to, is that effective security requires a combination of internal and third party expertise. Traditional security tools, such as anti-virus and desktop firewalls should be managed internally, with the ability to allow the managed service provider to provide updates and patches if the organisation's Internet connection is down as a result of a denial of service attack or the like.
Keeping the staff on board to handle the steady flow of Trojan, virus and spyware threats is a very expensive option, even more so when considering the more malicious threats and vulnerabilities companies face today that require constant monitoring. Morris points out that security is a moving target with new threats and vulnerabilities cropping up on a daily basis and believes that the only way to deal with them is to introduce the human element into a multilevel solution.
"The fact that the threats we are faced with today are continually evolving makes it imperative to have various layers of security, starting at the ISP, all the way down to desktop-level policies, anti-virus and data protection (encryption). But it is even more important for companies to have a dedicated resource that understands the solution, has an exceptional understanding of their specific environment and business requirements and, of course, someone who is capable of monitoring, managing and pro-actively participating in their security around the clock."
Using a third party that focuses on keeping current with the security industry for multiple clients, spreads the cost across many companies while automated mechanisms keep everyone as safe as is possible - 100% security can never be guaranteed.
To do it all in-house would, at a minimum, require the company to employ a firewall administrator, a 24-hour post that requires three people to fill three eight-hour shifts. Then a firewall analyst is required to review the networks for potential threats and mitigate any risks. "The best possible protection for any organisation or business is to be up-to-date on existing vulnerabilities," adds Carrick.
Ultimately, the decision to proactively manage security in-house equates to three times the premium that would be required by an outsourced partner. In making the decision, consider what the organisation's biggest asset is and how much it would cost if that asset was compromised in any way.
The question of return on investment (ROI) always pokes its head up when looking at IT investments, even security. Is effective risk management and compliance, or perhaps not losing your company's customer databases or intellectual property (IP) not enough justification for spending on managed security (which is substantially less costly versus the cost of doing it all internally, according to Evans).
"It never ceases to amaze me that companies demand an ROI from IT security, yet they spend hundreds of thousands on insurance, security guards and sophisticated alarm systems, but never lay claim to ROI on any of these," Morris adds.
Fortunately, ROI is easily demonstrated for managed service providers. "We do not have to sell managed security services through scare tactics and 'what if you do not have it' scenarios," explains Brett Casey, CEO of Securicom. "Simply putting ROI planning down on paper is enough to convince executives in companies of all sizes to opt for managed services, it is a no brainer."
Making use of managed security service providers does not allow organisations to abdicate responsibility for handling their own security. Internal security officers must still retain control and work closely with their outsourcing providers to ensure a seamless security service, consisting of in-house and managed services, providing the risk management particular to the organisation. Managed services are simply a more effective as well as a more responsible way for organisations to meet cost-control goals while focusing on their core business, even as security professionals offer the services they do best.
84% suffered a security breach in the past year
CA has announced a new security survey of 642 large North American organisations which shows that more than 84% experienced a security incident over the past 12 months and that the number of breaches continues to rise.
According to the findings, security breaches have increased 17% since 2003. As a result, 54% of organisations reported lost workforce productivity; 25% reported public embarrassment, loss of trust/confidence and damage to reputation; and 20% reported losses in revenue, customers or other tangible assets. Of the organisations that experienced a security breach, 38% suffered an internal breach of security.
In addition, the findings indicate that security is not being taken seriously enough at all levels of an organisation, especially in the financial service industry. Nearly 40% of respondents indicated that their organisations do not take IT security risk management seriously at all levels, while 37% believe their organisation's security spending is too low. Only 1% believe it is too high.
Despite these findings, the survey revealed that organisations are taking steps to improve security. The three most important cited security steps were documenting security policies (88%), creating security education policies for employees (83%) and creating a chief information security officer position (68%).
The survey also found that a lack of centralised security administration is affecting employee productivity. Only 6% of the organisations were able to provide new employees or contractors with access to all the applications or systems they require on their first day of work.
"These survey results demonstrate that even though organisations are investing in security technologies, they still are not achieving the results they seek," said Toby Weiss, senior vice president and general manager of CA's Security Management Business Unit. "Clearly, more work needs to be done in terms of both improved security management itself and better education of business users about the importance of IT security best practices."
The survey also found that organisations are turning towards identity and access management (IAM) technology to improve security, enable regulatory compliance and reduce costs. More than 75% of the organisations surveyed have implemented some form of IAM functionality and are continuing with IAM investments, with an additional 18% planning to begin rolling out an IAM solution or extend their IAM deployments over the next 12-18 months.