You are on page 1of 13

The Case for Outsourcing Security

By Bruce Schneier Security and Privacy: Building Confidence in a Networked World Supplement to IEEE Computer Magazine 2002 Deciding to outsource network security is difficult. The stakes are high, so it's no wonder that paralysis is a common reaction when contemplating whether to outsource or not: The promised benefits of outsourced security are so attractive. The potential to significantly increase network security without hiring half a dozen people or spending a fortune is impossible to ignore. The potential risks of outsourcing are considerable. Stories of managed security companies going out of business, and bad experiences with outsourcing other areas of IT, show that selecting the wrong outsourcer can be a costly mistake. If deciding whether to outsource security is difficult, deciding what to outsource and to whom seems impossible. Over the past few years, we've seen many different companies offering different capabilities under the general category of managed security services. The field is so confusing that even the industry analysts can't agree on how to categorize the services offered. This company manages firewalls. That company offers periodic vulnerability scans. Another offers to manage security policies, or monitor the network, or install the IDS, or host the computers. Some of these businesses make sense, and some of them don't. Some will survive; some won't.

What to outsource
Companies won't outsource everything, because some things just don't outsource well. Either they're too close to the business, or they're too expensive for an outsourcing company to deliver efficiently, or they simply don't scale well. Knowing what to outsource is key.

Medical care is a prime example of outsourcing that works well. Everyone outsources healthcare; we don't act as our own doctor. More to the point, no one hires a private personal doctor. And we all know what aspects of medical care we like: the ambulance arrives in seconds and rushes us to the hospital, a team of medical experts spares no expense in running tests to figure out what's wrong and in doing whatever it takes to cure us, and (for many people) the insurance company pays (all or most of) the bill. We all also know what aspects we don't like: ill-equipped and ill-staffed hospitals, HMOs telling us that we can't have that particular test or that a specialist isn't warranted, and getting stuck with an outrageous bill. The aspects of outsourced healthcare we like involve immediate access to experts. Any medical emergency requires experts, and the faster they can pay attention to us the better off we'll be. The aspects of outsourced healthcare we don't like involve management. Our healthcare is our responsibility, and we don't want someone else making life and death decisions about us. Network security is no different. Companies should outsource expert assistance: vulnerability scanning, monitoring, consulting, and forensics, for example. But they should not outsource management. The industry has already proven this point. Salinas Network Services was the largest firewall management company. Earlier this year, it disappeared. There just wasn't a profitable business in managing firewalls for other companies. Firewall management is simply too centralcompanies outsourcing to Salinas had no choice but to treat their Salinas contractors as employees. And, for the money they were willing to pay, the companies demanded too much individual attention. Another example: Pilot Network Services offered secure network management. Its business was to host computers securely, manage all security devices, and test applications before putting them up on the network, effectively becoming the security management group. They're gone now too same problem. Some consulting companies are doing well and some are not. This is primarily a function of the quality of the service they offer.

Consulting is, and always will be, a profitable business. Outsourcing occasional requirements for expertise transcends any single area. The outsourced security companies that are doing well offer clearly defined services organizations need. For example: Consulting companies (such as VeriSign, @Stake, Foundstone) provide expert advice and assistance: strategic security consulting, penetration testing, forensics, and so forth. Security Value-Added Resellers (VARs) provide product installation and configuration. TruSecure provides certification and expert assistance. Qualsys has an automatic vulnerability scanning service. Counterpane provides network security monitoring. In all of these cases, the company buying the security services retains management and ultimate control. Conversely, by not demanding a management role, the security providers offer useful, effective, and scalable services. Both win.

Why outsource security

The primary argument for outsourcing is financial: a company can get the security expertise it needs much more cheaply by hiring someone else to provide it. Take monitoring, for example. The key to successful security monitoring is vigilance: attacks can happen at any time of the day, any day of the year. While it is possible for companies to build detection and response services for their own networks, it's rarely cost-effective. Staffing for security expertise 24 hours a day, 365 days a year, requires five full-time employeesmore when you include supervisors and backup personnel with specialized skills. Even if an organization could find the budget for all of these people, it would be very difficult to hire them in today's job market. Retaining them would be even harder. Security monitoring is inherently erratic: six weeks of boredom followed by eight hours of panic, then seven weeks of boredom followed by six hours of panic. Attacks against a single organization don't happen often enough to keep a team of this caliber engaged and interested.

This is why outsourcing is the only cost-effective way to satisfy the requirements. Think about healthcare again. I might only need a doctor twice in the coming year, but when I need one I might need him immediately, and I might need specialists. Out of a hundred possible specialties, I might need two of themand I have no idea beforehand which ones. I would never consider hiring a team of doctors to wait around until I happen to get sick. I outsource my medical needs to my clinic, my emergency room, my hospital. Similarly, companies will outsource network security monitoring. Aside from the aggregation of expertise, an outsourced monitoring service has other economies of scale. It can more easily hire and train personnel, simply because it needs more employees. And it can build an infrastructure to support them. Vigilant monitoring means keeping up to date on new vulnerabilities, new hacker tools, new security products, and new software releases. Outsourced security companies can spread these costs across all customers. An outsource company also has a much broader view of the Internet. It can learn from attacks against one customer, and use that knowledge to protect all its customers. It also faces attacks much more frequently. No matter how wealthy we are, we don't hire a doctor to sit in our living room, waiting for us to get sick. We get better medical care from a doctor who sees patient after patient, learning from each one. To an outsource security company, network attacks are everyday occurrences; its experts know exactly how to respond to any given attack, because in all likelihood they have already seen it many times before.

How to choose an outsourcer

It is difficult to choose an outsourcer because it's hard to tell the difference between good and bad computer security. By the same token, it's hard to tell the difference between good and bad medical care. Because most of us aren't healthcare experts, we can sometimes be led astray by bad doctors who appear to be good. So how do we choose a doctor or a hospital? I choose one by asking around, getting recommendations, and going with the best I can find. Medical care involves trust; I need to be able to trust my doctor.

Security outsourcing is no different; companies should choose an outsourcer they trust. Talking with others and asking industry analysts will reveal the best security service providers. Go with the industry leader. In both security and medical care, you don't want a little-known maverick. Companies buying security services should also avoid outsourcers that have conflicts of interest. Some outsourcers offer security management and monitoring. This worries me. If the outsourcer finds a security problem with my network, will the company tell me or try to fix it quietly? Companies that both sell and manage security products have the same conflict of interest. Consulting companies that offer periodic vulnerability scans, or network monitoring, have a different conflict of interest: they see the managed services as a way to sell consulting services. (There's a reason companies hire outside auditors: it keeps everyone honest.) Outsourcers offering combined management and monitoring services will be among the next to disappear, I believe. If a company outsources security device management, it is essential that it outsource its monitoring to a different company. In any outsourcing decision requiring an ongoing relationship, the financial health of the outsourcer is critical. The last thing anyone wants is to embark on a long-term medical treatment plan only to have the hospital go out of business midstream. Similarly, organizations that entrusted their security management to Salinas and Pilot were left stranded when those companies went out of business. Modern society is built around specialization; more tasks are outsourced today then ever before. We outsource fire and police services, government (that's what a representative democracy is), and food preparation. Businesses commonly outsource tax preparation, payroll, and cleaning services. Companies also outsource security: all buildings hire another company to put guards in their lobbies, and every bank hires another company to drive its money around town. In general, we outsource things that have one of three characteristics: they're complex, important, or distasteful.

Computer security is all three. Its distastefulness comes from the difficulty, the drudgery, and the 3 a.m. alarms. Its complexity comes out of the intricacies of modern networks, the rate at which threats change and attacks improve, and ever-evolving network services. Its importance comes from this fact of today's business world: companies have no choice but to open their networks to the Internet. Doctors and hospitals are the only way to get adequate medical care. Similarly, outsourcing is the only way to get adequate security for today's networks.

Advantages and Disadvantages of Outsourcing Security Guard Services

Posted on: February 28th, 2012 by Administrator 1 Comment Are you thinking about hiring a security guard company at your business? Outsourcing your security guard services offers a lot of freedom and flexibility. However, there are a few potential disadvantages. When considering outsourcing security guard services, youll want to map out the advantages and disadvantages. Take a look at this list to determine if outsourcing security guard services is right for your business. Advantages to Security Guard Outsourcing

You can focus more on your business. You no longer have to worry about the day-to-day management of security. Theres a big cost savings by outsourcing. You can spend that savings on other parts of your business. You save money because you no longer have to pay for uniforms, equipment and other overhead costs. Productivity and efficiency will improve at your business because there is one less thing that you have to regularly worry about.

You have more time to focus on areas that will grow your businessbecause you dont have to be concerned about the management of security guards. With outsourcing, you dont waste dollars. You can hire a company forevent security for a single occasion or use mobile security patrols whenever you need them. You are only paying for what you need, when you need it. An outsourced company most likely will have the latest security technology (patrol cars, communication systems, etc.). Best of all, you dont have to make the upfront investment in buying all of that stuff. With an outsourced security guard company, youre buying expertise at a low price. It would cost you a lot of money to buy that expertise on your own. Outsourcing can provide continuity. You dont have to worry about security guard turnover and guard sick days when you go with a reliable security guard company.

Disadvantages to Security Guard Outsourcing

Loss of management control. You will no longer be controlling the day-to-day security guard management. Management problems can arise if you hire a security guard company that does not have a lot of

experience. You can prevent this by researching for the best company.

If you hire an inexperienced company, you may have difficulties communicating objectives to them. Some companies my have hidden costs involved with their services. Try to find a company that tells you upfront what youre going to pay. Inexperienced companies will lack the professionalism needed. You can combat against this by seeing and talking with some of their activeduty security guards. If they dont seem professional, go with another company.

When deciding whether or not to hire a security guard company, be sure to do your homework. Take your time to do your own personal analysis of the advantages and disadvantages for your business. Be sure to consult with staff and personnel at your business. Finding the right options to protect your business is an important decision. Be patient and consistent throughout your search and youll find the best choice for your business.

Why Outsourcing Security Guard Services is a Very Good Idea

Posted on: February 28th, 2012 by Administrator 2 Comments More and more businesses are outsourcing private companies to help them with their security guard needs. There are lots of reasons that many of the top companies outsource their security guard services. This article will provide you with some of the most important benefits that come with outsourcing security guard services. Benefit #1 Transfers Risk When you outsource security guard services, youre transferring some of the liability risk to the security guard company. A licensed security guard company should have the expertise and experience to avoid potential risks. They are also insured to cover all sorts of problematic scenarios. Is your company properly insured to handle potential risks? Its a safer option to outsource your security guard services rather than take it on all by yourself. Benefit #2 Get Great Service at a Reasonable Price You get world-class security at the faction of a price it would cost you to do it yourself. Thats because you dont have to worry about the startup costs.

The private security guard company handles the start-up costs associated with hiring security guards as well as purchasing equipment and uniforms. Thats a big savings for your company. Benefit #3 Allows You to Focus on What You Do Best When you outsource, you no longer have to worry about the hiring, training and other administrative tasks that come with security services. Outsourcing allows you to focus on your company and what you do best. You shouldnt be wasting your hours managing and worrying about security. Leave it to the professionals, so you can have more time to focus on your business. Youll sleep a lot better at night knowing that professionals are protecting your business. Benefit #4 Increases Financial Flexibility Outsourcing security guard services helps to increase your financial flexibility. You no longer have significant portions of your budget tied to something that is not a main priority of your business. This allows you to invest more into whats most important for your business. Benefit #5 Improve Human Resources Workflow Your human resources department wont have to take on the additional responsibilities that come with more

employees. Youll keep your HR department in great shape. You wont have to take on additional human resource employees to handle the extra responsibilities and paperwork that come with more employees. Benefit #6 Increased Productivity Youll see productivity improvements across the board. Thats because youre no longer committing serious amounts of money and resources to security. By letting the outsourced company focus on the security guards, you can focus more on the important issues that will help your business get ahead. Benefit #7 Starting Up is a Breeze When you outsource security guard services, starting up is easy. Doing it own your own might take weeks or even months to get started. Outsourcing eliminates the burdens associated with training and providing the necessary support for success. You wont have as many upfront costs. Summary Outsourcing your security guard services allows your business to stay competitive and stay profitable in the 21st Century. When searching for a security guard company, be sure to thoroughly review all of your options. Be sure to find a

security guard company that is properly licensed and insured in your state.