|
Sector: Financial processing
Outsourcing: Network monitoring and auditing
Wayne Proctor is chief information security officer for Certegy Inc., a $1 billion St. Petersburg, Fla., company that provides credit card processing, check risk management and other services to financial institutions, retailers and consumers worldwide. Like Blackboard, Certegy ultimately determined some security outsourcing was necessary.
"It comes down to cost," Proctor says. "We'd like to do it ourselves, but monitoring software can get expensive. The biggest cost of in-house monitoring would be salary. You also need a third party for auditing. No one would respect the results unless it was [from] a third party. With security, there's too much risk and cost when you don't outsource some of it." Proctor declined to name specific MSSPs his company uses. But when shopping for the right provider, he says, "I value the well-established companies, those with a well-known and respected name in the industry. It's also important that they have multiple locations so if you need help and can't reach people in one center, you can get help from another center."
While he says network monitoring and auditing are appropriate for outsourcing, with several hundred IT staff, Proctor will go only so far. "I'm against outsourcing strategic controls," he says. That is, the company's security policies, employee awareness programs and actual control of network devices. "All our security tools, policies and procedures we maintain ourselves." It's helpful to have someone on the outside monitor network activity for suspicious patterns you might not recognize on your own. But in the end, the IT staff must have its hands on the controls, he says, adding, "That's the line we draw."
Gartner analyst Kavanagh believes that's a wise approach. "You should never leave outsiders to decide who to let on the system and how much access to give them. You should never leave it to an MSSP to write your user policies. An outsider can help you understand what the appropriate tech policies might be, but the company needs to write the policies and enforce them."
IT executives who put those strategic controls in outside hands risk becoming detached from the threats they face, Kavanagh adds. In-house IT staff might not be able to manage a security crisis on its own if it had to. "Giving up too much control means you don't have a good view of what your security situation is, because the in-house IT staff becomes too disconnected," Kavanagh says. "Typically, an MSSP doesn't make decisions on your behalf. They recommend a course of action and implement what you tell them they can implement. Here the danger is that you don't understand the implications of what the MSSP is recommending. That's why you'll always need in-house expertise."
Yankee Group analyst Phebe Waterfield agrees. If Yankee Group's 90% prediction is realized, she says the 10% of activities that remain in-house will include setting policies, monitoring communications and staff behavior, and tracking intellectual property.
Sector: Financial services
Outsourcing: Network monitoring, firewall management and IDS services
Ken Pfeil is chief security officer for Capital IQ, a New York-based division of Standard & Poor's and part of the $5.2 billion McGraw-Hill Companies. Capital IQ has a total of 1,100 employees, with 30 to 35 of them in the IT department. It also has an annual IT budget of up to $3 million with security accounting for 9% to 11% of that. The percentage includes spending for security outsourcing.
For network monitoring, firewall management and IDS, the company turns to Getronics in Billerica, Mass. "With firewall and IDS management, it makes more fiscal sense for us to outsource," Pfeil says.
The company also gets outside help on its application security. "We have someone come in, look at our applications and help us code more securely," he says. Two companies assist with that: New York-based Immunity Inc. and NT OBJECTives Inc. of Irvine, Calif.
"One of the risks of doing everything in-house is that you'll run into employee burnout," Pfeil says. "There are also the costs of training and technology and the cost of adding bodies. We're in a fast-paced environment and the tools and expertise of today could be obsolete tomorrow."
But he agrees you can't turn everything over to MSSPs. In fact, his in-house IT staff handles some tasks most enterprises are outsourcing. For starters, while MSSPs can sort out the mountain of network vulnerability reports and determine when there are patches or configuration workarounds to be had, Pfeil says his staff handles that on its own.
And while many enterprises look for outside help on regulatory compliance, Capital IQ shows it isn't always necessary.
"We've been hit with all sorts of regulations. Before S&P acquired us, we were affected by Sarbanes-Oxley. Now we're also under Gramm-Leach-Bliley and SEC regulations," Pfeil says. "But for now, we can handle compliance in-house. We don't have a complex environment, and the corporate office has been very clear about who is responsible for what. There are clear and concise goals and objectives and officers whose job is to know the regulations. That's been key."
Bill Brenner is a former news writer for SearchSecurity.com, a sister site to CIO Decisions. To comment on this story, email editor@ciodecisions.com.
|
