In Outsourcers We Trust
Companies may put business partners' security under scrutiny, but many IT and business leaders acknowledge they can't always keep that information secure internally-at least not without help from outside experts.
More than half (52 percent) of survey respondents said that outsourcers, also known as managed security service providers (MSSPs), are important or very important to accomplishing their security objectives. Another 19 percent said outsourcers play some role. Meanwhile, more than 30 percent cited outsourcing of some or all security functions, such as e-mail filtering and management of application firewalls, as a top priority in the next 12 months, up from 18 percent a year ago.
While these numbers don't represent a tidal wave of change since last year, Lobel says they do signal a shifting of the winds.
The greater interest in outsourcing "is an outcome of the cut in IT services," he says. For example, companies are no longer as willing to pay someone in-house to monitor security operations overnight when a vendor can do it for less. "The cost of doing a bad job in-house is cheaper than what vendors will charge you, but the cost of doing security really well in-house is more expensive than what vendors will charge," Lobel says.
Companies realize it's better to put security in the hands of those who are immersed in it, says Warren Axelrod, a former CSO and author of the book Outsourcing Information Security. "If you need surgery, you would rather go to a surgeon who does five of these procedures a day instead of one a month."
More than 30 percent of survey respondents are making outsourcing an important priority so they can establish security safeguards that aren't currently in place, including functions such as e-mail filtering and penetration testing. Meanwhile, 60 percent said they already outsource the secure disposal of technology hardware and 59 percent said they've delegated administration of password resets. In the areas of strategy and standards, 32 percent said they have outsiders helping them establish security baselines for external partners, suppliers and other IT vendors. Twenty-four percent outsource their centralized security information-management procedures.
Family Dollar's Jewett says his company has hired a variety of service providers to execute and audit portions of its security program. He declined to go into detail about which items he outsources and why, but he says the company bases such decisions on the following criteria: its own assessment of internal skills and resources, the relative cost of outsourcing versus keeping the work in house, the need for segregation of duties, and risk assessments.
Without a dedicated IT security team at USTA (the function is among the responsibilities of its director of technology and operations), Bonfante relies on MSSPs to handle such tasks as Web monitoring and filtering, e-mail scanning and storage surveillance. He expects to outsource additional security functions in the coming year, though he's not ready to outline specifics.
Sign up for CIO Asia eNewsletters.