Why outsource network security‾

Bruce Schneier/CTO, BT
14 Apr 2009
00:00
News
Stories

More and more companies are outsourcing their network security. This is because there is no other way to deal with the shortage of skilled computer security experts, the increasing requirements for businesses to open their networks and ever-more-dangerous threats. For the internet to succeed as a business tool, security has to scale.

Outsourcing is the way to achieve that.

Arguments for Outsourcing

The primary argument for outsourcing is financial: a company can get the security expertise it needs much more cheaply by hiring someone else to provide it. Take monitoring, for example. The key to successful security monitoring is vigilance: attacks can happen at any time of the day and any day of the year. While it is possible for companies to build detection and response services for their own networks, it\'s rarely cost-effective.

Staffing for security expertise 24 hours a day and 365 days a year requires five full-time employees - more, if you include supervisors and escalation personnel with specialised skills. Even if an organization could find budget for all of these people, it would be very difficult to hire them in today\'s job market.

Security monitoring is inherently erratic: six weeks of boredom followed by eight hours of panic, then seven weeks of boredom followed by six hours of panic. Attacks against a single organisation don\'t happen often enough to keep a team of the needed calibre engaged and interested.

Aside from the aggregation of expertise, an outsourced monitoring service has other beneficial economies of scale. We can more easily hire and train our personnel simply because we need more employees and we can build an infrastructure to support them. We can learn from attacks against one customer, and use that knowledge to protect all of our customers.

And from our point of view, attacks are frequent. Vigilant monitoring means keeping up to date on new vulnerabilities, new hacker tools, new security products, and new software releases. We can spread these costs among all of our customers.

What to Outsource

There are limits on what a company should outsource. Things that don\'t outsource well are often too close to the business, or they\'re too expensive for an outsourcing company to deliver efficiently, or they simply don\'t scale well. Knowing the difference is important.

Outsource expert assistance: vulnerability scanning, monitoring, consulting, forensics. Don\'t outsource control of the process.

An IT specialist can monitor networks. It can manage firewalls, intrusion detection and intrusion prevention system plus provide vulnerability scanning and e-mail scanning, and "clean-pipe" internet connections. It has the expertise to deal with compliance issues. It can build a new security infrastructure from the ground up. In short, an outsourced IT specialist can take the problems of network security off the backs of a corporate IT department and let them focus on their strategic decisions.

What it cannot do is determine how an organisation\'s IT security interacts with its business. For example, when a hacker is inside a corporate network, only the organisation can tell what the business ramifications of different responses are. An IT specialist can detect an insider attacking your network and find out what they are doing, but they won\'t know whether he\'s malicious or performing authorised testing.

Related content

Comments
No Comments Yet! Be the first to share what you think!