Outsourcing is supposed to confer specialization on both sides. In theory, the outsourcing company handles the tasks a client is not as familiar with, leaving the client better able to dedicate its time, energy and resources (both fiscal and professional) to the core services or products that represent the heart of its business.
In the case of networked security, though, the possible shortcomings sometimes seem to outweigh these gains. There are few areas of network management so inarguably fundamental to the ongoing success or failure of a company as security, and few in which the evolution of technological progress has been so devastating.
Consider the case of distributed denial of service (DDoS) strikes, for instance. DDoS was thrust into the headlines just over a year ago when well-known companies including Yahoo and eBay were brought down for extended periods. Even today, after a year of hard work by numerous security firms and emerging startups, DDoS attacks remain for the most part completely unpredictable and exceptionally difficult to cope with.
Even the well-known Internet security/privacy gadfly Steve Gibson decided to post an open letter to the hacker community when his own site was hammered by a strike. The letter was a carefully phrased white flag acknowledging the potential damage DDoS strikes (and by extension, hackers) can do.
Hiring another company to handle your network security? In the eyes of many network managers, that's tantamount to hiring mercenaries to guard the castle. Instantly doubling or quadrupling the number of eyes watching the gates may seem beneficial in the short run, but in the long run the benefits and costs aren't so clear.
What can a company do to predict how skillful these mercenary soldiers will be? Are they really as well-trained and familiar with the client's particular concerns as they promise? How many will really be ready in a crisis - at the drop of a (black) hat? How loyal can they be to any one company, given that they render services to multiple clients?
Can a company, in short, afford to trust people who aren't actually on the payroll with something as inarguably mission-critical as the security of its network?
At the recent Networking Beyond the Enterprise conference in San Francisco, Gartner Group said companies can and will trust managed security firms in the years ahead.
Outsourced security was something many of the Gartner analysts hit upon, forecasting a steadily growing demand .
- Within four years, the global managed security service market will have roughly tripled, going from a little under $2 billion annually today to almost $6 billion.
- Monthly fees for security device management will drop dramatically (75%) by 2003 as the installed base grows (0.8 probability).
- A majority of telcos and carriers will partner with managed security service providers to deliver managed security services by 2003 (0.8 probability).
- By 2003, 40% of security expenditures will be influenced by a managed service security provider (0.8 probability).
The Gartner bottom line on this subject appears to be that future enterprises will increasingly lean towards in-house "good-guy" security (that is, security designed to allow clients, business partners, etc. into their networks) but will just as increasingly outsource "bad guy" security, which is designed to address the ongoing threat of black hat hackers.
Will this really prove to be the case? My personal experience with network administrators suggests they are a slightly more skeptical breed than is implied by Gartner's predictions, and may continue to be reluctant to give up the keys to the kingdom. Time will certainly tell.
FOR MORE INFORMATION: