But Lambeth, vice president of IT at Blackboard Inc., a $111.4 million e-learning company in Washington, D.C., and Casteel, vice president of management information systems at Bel Air, Md.-based nonprofit Upper Chesapeake Health, found themselves increasingly bogged down with those security management tasks. The time had come to consider outsourcing them.
"Security and compliance requires more specialized expertise, and it makes more sense to outsource that so the staff can stay focused on the core business objectives," says Lambeth, who uses four service providers to help his business handle security.
"Keeping it in-house gives us more control," says Upper Chesapeake Health CFO Joseph Hoffman, who says he trusts Casteel's team to get the job done.
Those familiar outsourcing arguments belie the complexity of the evaluations and technologies that drove the respective decisions of these organizations. For today's IT executive, there are no easy answers; heightened criminal activity and intense scrutiny from external auditors put the business at risk day after day. Still, analysts say outsourcing will become increasingly prevalent for labor-intensive activities such as monitoring and for expertise needed to comply with specialized regulations.
Indeed, of the four IT executives featured in this story, all but Casteel say they've embarked on some level of security outsourcing. They have plenty of company. In North America, according to Stamford, Conn. research firm Gartner Inc., the managed security service provider (MSSP) market reached $900 million in 2004. The firm predicts it will grow another 18% by 2008. Boston-based Yankee Group Research Inc. estimates that the global MSSP market will grow from $2.3 billion in 2004 to $3.7 billion in 2008. In a report last year, the firm also predicted that by 2010 most companies will outsource 90% of their security functions. The most commonly targeted will be firewall management and monitoring networks for abnormal activity or software vulnerabilities.
IT executives and analysts agree that a company should never outsource certain security activities: setting and enforcing policies, monitoring communications and staff behavior, and tracking intellectual property. Other tasks are more easily handed over: sifting through vulnerability alerts, scanning the network perimeter and managing the firewall, among them.
The first items to outsource are the things you have trouble keeping up with, says Gartner analyst Kelly Kavanagh. "For example, let's say you realize you'll never keep up with the variety of vulnerability announcements coming out, and you'll never keep up with the onslaught of IDS [intrusion detection system] signatures. That's safe to outsource." It's a plus to do so, he adds, because once an outsider helps a company sift through all those reports, the in-house IT staff can patch systems and block suspicious network activity faster and more efficiently and then move on to other things.
Here's a look at four organizations and their outsourcing decisions. Bottom line: While the MSSP decision is highly individualized and will always carry risks, CIOs who have handed over even a portion of their security don't seem to be having second thoughts.
Outsourcing: E-mail filtering, intrusion prevention, network scanning and security assessment
Blackboard's e-learning product is essentially a templated, hosted intranet that professors can use to communicate and share files with their students. Professors can post lecture notes, students can share files for group projects, and groupware enables virtual classes, live chat and other features. It currently has more than 12 million users across the globe and is looking to grow.
The emphasis on growth is part of why Lambeth and CFO Peter Repetti opted for outside security help. It would let the company's IT staff zero in on business-building projects. "I have an IT staff of 17, and I want them spending most of their time engineering the infrastructure and applications to help us grow," Lambeth says. "Security and compliance require more specialized expertise, and it makes more sense to outsource that so the staff can stay focused on the core business objectives." Those objectives include constructing a fiber optic network to connect Blackboard's Washington, D.C., headquarters to the data centers of its application service providers and deploying voice over IP globally.
The company's global scope, in fact, was another reason to outsource. "You have to consider other security requirements in other parts of the world -- the [European Union] privacy laws, for example," Repetti says. "An outside entity can keep track of those global regulatory requirements and help us integrate them into our process."
Founded in 1997, Blackboard uses a host of IT providers already. Likewise, Lambeth and Repetti found they needed more than one MSSP to take on their security and compliance needs. Blackboard's projects fell into four categories: e-mail filtering, network security, vulnerability scanning and an annual security assessment. That variety ultimately led to hiring four MSSPs.
For e-mail filtering, Lambeth and his team had to decide what type of mail should be blocked as spam and what should be let through. The company hired Quatro Systems Inc. of Horsham, Pa., to weed out unsolicited junk messages, which can clog e-mail servers, while allowing legitimate e-mail to pass through more quickly.
On the network side, Lambeth was aware of the resources required to monitor the logs of network activity generated by firewalls, IDS machines and other devices and to stay on top of the latest exploits out there. "We need a constant focus on the newest and greatest threats at any given point in time," Lambeth says. "That really requires a sizable investment in people infrastructure. It's easier for us to rely on an organization that understands and specializes in that threat than to make the investment in-house as a small company."
So Blackboard hired Mountain View, Calif.-based Counter-pane Internet Security Inc. to provide around-the-clock IDS services. "Counterpane can survey all the potential threats worldwide," Lambeth says. "They can provide a much wider, more current view of the threats. That's something we can't do, because it's not our focus." Vulnerability scanning is an important part of Black-board's efforts to comply with regulations such as the Sarbanes-Oxley Act and the Payment Card Industry's (PCI) Data Security Standard. "We process credit card transactions and need to be PCI-compliant to conduct business," Lambeth says. "This requires a scan of our entire security posture to ensure there are no vulnerabilities." The company hired Chicago-based AmbironTrustWave for this.
Blackboard uses yet another company to check up on these outsourcers by performing an annual assessment of both physical and IT security. "We don't tell the other parties the test is going on to ensure they are being effective," Lambeth says. For these assessments, the company turns to Jefferson Wells International Inc. in Brookfield, Wis.
So how has the IT staff taken this shift of its security responsibilities?
"Overall, the IT staff has worked well with outside contractors," Lambeth says. "Never have we transferred labor from the internal IT staff. As an IT leader, you have to make sure the staff understands why you're doing this and that they are focused and on board. It frees them up to get trained on upcoming technology and challenges. They can focus on the next engineering challenge."
Repetti says Blackboard's IT staff also wins because it learns from the outsiders. "These providers let us leverage the strengths of our in-house staff and allows our IT staff to gain the collective knowledge of experts," he says.
UPPER CHESAPEAKE HEALTH
Sector: Health care
Founded in 1984, Upper Chesapeake Health manages two hospitals, a hospice and a foundation in Hartford County, Md. After analyzing various scenarios, IT executive Casteel and CFO Hoffman eventually decided the nonprofit would be better off managing security and compliance in-house.
Unlike Blackboard, Casteel's IT shop isn't involved in projects that generate revenue. As he describes it, its mission is to support the needs of doctors, nurses, lab technicians and ultimately the patients by keeping the network running smoothly. Monitoring potential threats and making the network compliant with the Health Insurance Portability and Accountability Act (HIPAA) is a natural part of that, he says. Further, some IT staff specialize in security, so it made more sense to invest in the necessary tools.
"We control our destiny," says Hoffman. "With outsourcing, sometimes these companies don't know the players and the process, and they have to start from scratch. That can complicate the process. From my perspective, I'm confident in [Casteel's] expertise and that of his department. If there's a team in place that can meet the goal, I'm inclined not to go looking for outside help."
Despite the number of vendors and technologies out there, Casteel isn't intimidated. He's found that as security technology has become more sophisticated, it has also become easier to install and manage. "Five years ago, we'd be scratching our heads, wondering if we could ever manage without going outside," Casteel says. "But it has gotten easier."
His budget includes about $300,000 of the company's $100 million annual operating budget for equipment and software and at least another $300,000 for ongoing expenses, including salaries. Casteel also has a full-time network security engineer position, which he added to his 21-person IT team when the organization decided to handle its own security.
To harden the network against security threats and comply with HIPAA and the Joint Commission on Accreditation of Healthcare Organizations, Casteel had to centralize the logs flowing from devices across the network. "HIPAA is all about having a centralized process to monitor and log behavior," Casteel says. "Across all devices in our network, there are millions of events a day. Devices across the organization have their own auditing systems." To build a centralized monitoring and auditing system, Casteel chose a security information manager, a box that aggregates reporting from all devices on a network, from TriGeo Network Security Inc. of Post Falls, Idaho. "When you can literally -- through one source -- watch all the events on all the systems on your network, that just seemed to be an economics of scale we weren't going to get by just throwing personnel at the issue," he says, adding that the tool has also made it easier to keep an audit trail.
Though his organization doesn't get any security help from MSSPs, Casteel says it would be wrong to think Upper Chesapeake exists in a cocoon. "Everyone puts some degree of trust in outsiders," he says. "If you have an antivirus program, you're relying on someone like McAfee." And if you're using a security management appliance, you're still relying on a vendor like TriGeo, he adds.
This was first published in August 2005