Should IT Security Be Outsourced?

By Renee Oricchio

For many CIOs, outsourcing security may sound like handing over the keys to the kingdom. It's easy to imagine why some would never even consider outsourcing, knowing that if something does go wrong, it won't be the security vendor left holding the bag. When there's a security breach, it's the corporate brand itself that's in peril.

"Always retain what is required to protect the brand," says Paul Roehrig, a principal analyst from Forrester Research, who says outsourcing security can be appropriate, but proceed with caution.

Look no further than the story of TJX, the national retailer that owns such chains as T.J. Maxx, HomeGoods, Marshalls and Bob's Stores. In January of 2007, TJX had to publicly admit the most sensitive part of its network had been hacked, exposing the numbers of more than 45 million customer debit and credit cards. In the wake of what is considered to be the worst breach of consumer data ever, dozens of banks were forced to cancel and reissue millions of cards, while TJX faced countless lawsuits and relentless bad press.

"TJX is the poster child that illustrates the bigger they are, the harder they fall," says Ben Rothke, a senior security consultant for the security firm BT INS.

While some IT managers may see TJX as a cautionary tale to keep something as important as network security in-house, Rothke believes the TJX story actually makes a compelling case to do the very opposite.

"When hackers stole customer data from TJX, what made matters worse is that it went on for so long undetected, and once identified, they were slow to tell clients," says Rothke. He adds that most IT departments are notoriously understaffed and underbudgeted when it comes to security.

Here are some of the security functions that could be outsourced in large organizations:

• Intrusion detection Intrusion detection (IDS) "takes a certain set of protocols and expertise to understand. For most IT departments it's not a core competency," says Rothke. For CIOs who don't already have IDS technology deployed, it can't be done overnight either. The right IDS vendor will already have an infrastructure in place, making rapid implementation possible.
• Firewall security This, too, is its own discipline, troubleshooting the efficacy of the network firewall or firewalls. What's the firewall protecting? Where are the holes? And how are they to be plugged? Companies need a vendor that understands the nature of rule changes, documents those changes as they happen, and offers 24/7 support.
• Incident response While intrusion detection is all about discovering a breach when it happens, incident response is all about having the right protocols in place to react. Again, looking back at the TJX case, two of the biggest mistakes the company made that magnified the disaster were the inability to realize there had been a breach going on for months undetected, as well as their slow reaction alerting customers and the public in the aftermath.
• Forensics How did the breach happen? The kind of security expert that keeps vigil over the network is not necessarily the same person to play detective once the damage has been done. To date, no one has definitively figured out how the TJX breach happened or who was directly responsible. The company suspects wireless transmissions used out of two Miami stores were hacked. With an outside forensics expert, there is the added benefit of third-party objectivity and no self-interest to cover up findings, experts say.
• Vulnerability scanning The other kind of security expert needed to protect the network is one who can audit and aggregate the risks in all of the above areas and implement routine testing.

While these are the most popular areas of expertise to outsource, Roehrig draws the line between what should stay in-house and what can go out of house more simply.

"Outsourcing can be a great solution for implementation and support, but architecture and setting security policies should stay within the firm," he says.

Outsourcing security: the rules of the road
"If done right, the benefits of outsourcing security are compelling. If done wrong, the risks can be significant," says Rothke.

Here are some strategies to make outsourcing work:

• Find a good match There are consulting groups that can offer a team of experts to cover all those specific areas of concern: intrusion detection, firewall security, incident response, forensics and vulnerability scanning. CIOs would be wise to assess in advance which of those areas need outside expertise and whether it's better to have one vendor handling everything, or instead compartmentalizing certain areas with multiple vendors.
• Appoint an in-house liaison to manage the relationship Vendor management by an insider is key. At least one person from the IT department needs to monitor the relationship explaining the needs of the business and its culture to the security consultant.
• Don't be cheap The right person or firm is not likely to be the most affordable solution. Rothke warns there are plenty of "Mom and Pop" security firms out there. The good ones are a rare commodity and charge accordingly. Plan on paying for quality.

However a CIO decides to handle network security, Rothke offers this final piece of advice: "Hardware's cheap, bandwidth is cheap, contractors in India are cheap. But lawyers are expensive."

Renee Oricchio is a freelance writer in Norwalk, Conn. For the past 20 years, she has been writing and producing news segments about technology and business for CNN, MSNBC, Ziff-Davis, CNET and a variety of Silicon Valley-based local news outlets.