Is it right for your company? - Industry Trend or Event

Communications News, Sept, 2000 by Vincent Giordano

Benefits include lower costs for security solutions.

While the Internet presents enormous opportunities for sales, productivity and cost savings, it also puts corporate information at risk.

Rather than trying to secure their networks themselves, more companies are seeking alternative ways to protect their networks. According to research firm Cahners In-Stat, enterprises are increasingly looking to outsource their security functions to service providers.

Several factors are driving the trend toward outsourced security:

* Skilled security professionals are hard to find, expensive to train and difficult to keep.

* Security technology and processes are becoming more complex, increasing the level of expertise required to deploy and manage a system, and increasing the risk that mistakes will be made, providing opportunities for hackers.

* The pace of change in security attacks and viruses makes keeping up with the latest antivirus packages, intrusion-detection information and security patches for various operating systems and network devices nearly impossible.

In addition to these reasons for outsourcing security is an even more compelling one--it saves money. Adding an internal security specialist to the staff alone can cost up to $100,000 a year--and that does not include the costs associated with turnover, recruitment or investing in security technologies. Outsourcing costs are far less, generally requiring an up-front investment of up to $10,000, and then ongoing monthly charges, ranging from $500-$5,000 per month, depending on the types of services used.

THE RANGE OF SECURITY SERVICES

Managed security services include simple firewall deployment and management to intrusion-detection systems, to vulnerability assessments and virtual private networks (VPNs). The best-managed security vendors offer a full range of services able to meet the breadth of an organization's security needs. Customized service delivers security solutions that closely match an organization's individual business and philosophical goals.

Among the outsourced services that security providers offer are:

* 24x7x365 network monitoring: Most security providers operate several network-monitoring centers, staffed around the clock by experienced security engineers, to manage and monitor all aspects of network security for each of their customers.

* Firewall configuration/installment: Security vendors perform firewall configuration and installment at the customer site, and then remotely manage it over the Internet using a VPN connection.

* Vulnerability assessments: Service providers often recommend performing a comprehensive assessment of the company's network security position, both before and after installing its security solutions. Some vendors then perform standard security checks every six months to ensure that the network continues to show no weaknesses.

* Monthly usage/trend reports: Some providers offer detailed, confidential summary reports that enable companies to track all network activity each month. These vendors can produce in-depth trend usage reports analyzing companies' Internet usage to help them shape or refine Internet policies.

* Web site filtering: Some vendors offer services that enable companies to block employee traffic to certain categories of sites, and to schedule appropriate times for them to surf the Internet.

* Virus protection: Many vendors provide virus protection services to stop viruses and other malicious content at the Internet gateway.

* Technical training and support: Many vendors provide technical training for users of their services, and maintain a toll-free number to their security experts to ensure fast resolution of security problems.

WHAT TO LOOK FOR IN A SECURITY PROVIDER

In addition to choosing a security service provider who offers a full breadth of services, choosing one that is willing to work with a company as a business partner in designing and implementing the most effective security infrastructure is important.

Since any security service is driven by a security policy, the first step in creating a security infrastructure is to create and implement this policy. As part of their partnership, some providers offer services to help develop a suitable security policy.

The provider also should offer robust vulnerability assessments, an important tool for maintaining strong network defenses. Assessments scan a network, spot vulnerabilities and offer corrective action. Pick a provider, if possible, that can support flexible scheduling, so that the assessments can be scheduled for nonpeak hours to minimize disruption.

Finally, make sure that the provider uses industry-standard --and preferably best-of-breed--software and hardware in its security solutions, to ensure full interoperability and maximum performance.

Companies today realize that the only way to achieve true network security is by outsourcing it to a trusted provider that can deploy leading-edge security, which is not always available with an in-house staff.

As these services prove themselves, the demand will grow. According to International Data Corp., the market for managed security offerings will increase to $1.3 billion by 2002, as more companies do business over the Internet.