John Lambeth and Rick Casteel didn't become CIOs so they could spend all their time fending off Trojan horses, setting Sarbanes-Oxley controls and poring over HIPAA requirements.
But Lambeth, vice president of IT at Blackboard Inc., a $111.4 million e-learning company in Washington, D.C., and Casteel, vice president of management information systems at Bel Air, Md.-based nonprofit Upper Chesapeake Health, found themselves increasingly bogged down with those security management tasks. The time had come to consider outsourcing them.
"Security and compliance requires more specialized expertise, and it makes more sense to outsource that so the staff can stay focused on the core business objectives," says Lambeth, who uses four service providers to help his business handle security.
"Keeping it in-house gives us more control," says Upper Chesapeake Health CFO Joseph Hoffman, who says he trusts Casteel's team to get the job done.
Those familiar outsourcing arguments belie the complexity of the evaluations and technologies that drove the respective decisions of these organizations. For today's IT executive, there are no easy answers; heightened criminal activity and intense scrutiny from external auditors put the business at risk day after day. Still, analysts say outsourcing will become increasingly prevalent for labor-intensive activities such as monitoring and for expertise needed to comply with specialized regulations.
Indeed, of the four IT executives featured in this story, all but Casteel say they've embarked on some level of security outsourcing. They have plenty of company. In North America, according to Stamford, Conn. research firm Gartner Inc., the managed security service provider (MSSP) market reached $900 million in 2004. The firm predicts it will grow another 18% by 2008. Boston-based Yankee Group Research Inc. estimates that the global MSSP market will grow from $2.3 billion in 2004 to $3.7 billion in 2008. In a report last year, the firm also predicted that by 2010 most companies will outsource 90% of their security functions. The most commonly targeted will be firewall management and monitoring networks for abnormal activity or software vulnerabilities.
IT executives and analysts agree that a company should never outsource certain security activities: setting and enforcing policies, monitoring communications and staff behavior, and tracking intellectual property. Other tasks are more easily handed over: sifting through vulnerability alerts, scanning the network perimeter and managing the firewall, among them.
The first items to outsource are the things you have trouble keeping up with, says Gartner analyst Kelly Kavanagh. "For example, let's say you realize you'll never keep up with the variety of vulnerability announcements coming out, and you'll never keep up with the onslaught of IDS [intrusion detection system] signatures. That's safe to outsource." It's a plus to do so, he adds, because once an outsider helps a company sift through all those reports, the in-house IT staff can patch systems and block suspicious network activity faster and more efficiently and then move on to other things.
Here's a look at four organizations and their outsourcing decisions. Bottom line: While the MSSP decision is highly individualized and will always carry risks, CIOs who have handed over even a portion of their security don't seem to be having second thoughts.
Outsourcing: E-mail filtering, intrusion prevention, network scanning and security assessment
Blackboard's e-learning product is essentially a templated, hosted intranet that professors can use to communicate and share files with their students. Professors can post lecture notes, students can share files for group projects, and groupware enables virtual classes, live chat and other features. It currently has more than 12 million users across the globe and is looking to grow.
The emphasis on growth is part of why Lambeth and CFO Peter Repetti opted for outside security help. It would let the company's IT staff zero in on business-building projects. "I have an IT staff of 17, and I want them spending most of their time engineering the infrastructure and applications to help us grow," Lambeth says. "Security and compliance require more specialized expertise, and it makes more sense to outsource that so the staff can stay focused on the core business objectives." Those objectives include constructing a fiber optic network to connect Blackboard's Washington, D.C., headquarters to the data centers of its application service providers and deploying voice over IP globally.
The company's global scope, in fact, was another reason to outsource. "You have to consider other security requirements in other parts of the world -- the [European Union] privacy laws, for example," Repetti says. "An outside entity can keep track of those global regulatory requirements and help us integrate them into our process."
Founded in 1997, Blackboard uses a host of IT providers already. Likewise, Lambeth and Repetti found they needed more than one MSSP to take on their security and compliance needs. Blackboard's projects fell into four categories: e-mail filtering, network security, vulnerability scanning and an annual security assessment. That variety ultimately led to hiring four MSSPs.
For e-mail filtering, Lambeth and his team had to decide what type of mail should be blocked as spam and what should be let through. The company hired Quatro Systems Inc. of Horsham, Pa., to weed out unsolicited junk messages, which can clog e-mail servers, while allowing legitimate e-mail to pass through more quickly.
On the network side, Lambeth was aware of the resources required to monitor the logs of network activity generated by firewalls, IDS machines and other devices and to stay on top of the latest exploits out there. "We need a constant focus on the newest and greatest threats at any given point in time," Lambeth says. "That really requires a sizable investment in people infrastructure. It's easier for us to rely on an organization that understands and specializes in that threat than to make the investment in-house as a small company."
So Blackboard hired Mountain View, Calif.-based Counter-pane Internet Security Inc. to provide around-the-clock IDS services. "Counterpane can survey all the potential threats worldwide," Lambeth says. "They can provide a much wider, more current view of the threats. That's something we can't do, because it's not our focus." Vulnerability scanning is an important part of Black-board's efforts to comply with regulations such as the Sarbanes-Oxley Act and the Payment Card Industry's (PCI) Data Security Standard. "We process credit card transactions and need to be PCI-compliant to conduct business," Lambeth says. "This requires a scan of our entire security posture to ensure there are no vulnerabilities." The company hired Chicago-based AmbironTrustWave for this.
Blackboard uses yet another company to check up on these outsourcers by performing an annual assessment of both physical and IT security. "We don't tell the other parties the test is going on to ensure they are being effective," Lambeth says. For these assessments, the company turns to Jefferson Wells International Inc. in Brookfield, Wis.
So how has the IT staff taken this shift of its security responsibilities?
"Overall, the IT staff has worked well with outside contractors," Lambeth says. "Never have we transferred labor from the internal IT staff. As an IT leader, you have to make sure the staff understands why you're doing this and that they are focused and on board. It frees them up to get trained on upcoming technology and challenges. They can focus on the next engineering challenge."
Repetti says Blackboard's IT staff also wins because it learns from the outsiders. "These providers let us leverage the strengths of our in-house staff and allows our IT staff to gain the collective knowledge of experts," he says.
UPPER CHESAPEAKE HEALTH
Sector: Health care
Founded in 1984, Upper Chesapeake Health manages two hospitals, a hospice and a foundation in Hartford County, Md. After analyzing various scenarios, IT executive Casteel and CFO Hoffman eventually decided the nonprofit would be better off managing security and compliance in-house.
Unlike Blackboard, Casteel's IT shop isn't involved in projects that generate revenue. As he describes it, its mission is to support the needs of doctors, nurses, lab technicians and ultimately the patients by keeping the network running smoothly. Monitoring potential threats and making the network compliant with the Health Insurance Portability and Accountability Act (HIPAA) is a natural part of that, he says. Further, some IT staff specialize in security, so it made more sense to invest in the necessary tools.
"We control our destiny," says Hoffman. "With outsourcing, sometimes these companies don't know the players and the process, and they have to start from scratch. That can complicate the process. From my perspective, I'm confident in [Casteel's] expertise and that of his department. If there's a team in place that can meet the goal, I'm inclined not to go looking for outside help."
Despite the number of vendors and technologies out there, Casteel isn't intimidated. He's found that as security technology has become more sophisticated, it has also become easier to install and manage. "Five years ago, we'd be scratching our heads, wondering if we could ever manage without going outside," Casteel says. "But it has gotten easier."
His budget includes about $300,000 of the company's $100 million annual operating budget for equipment and software and at least another $300,000 for ongoing expenses, including salaries. Casteel also has a full-time network security engineer position, which he added to his 21-person IT team when the organization decided to handle its own security.
To harden the network against security threats and comply with HIPAA and the Joint Commission on Accreditation of Healthcare Organizations, Casteel had to centralize the logs flowing from devices across the network. "HIPAA is all about having a centralized process to monitor and log behavior," Casteel says. "Across all devices in our network, there are millions of events a day. Devices across the organization have their own auditing systems." To build a centralized monitoring and auditing system, Casteel chose a security information manager, a box that aggregates reporting from all devices on a network, from TriGeo Network Security Inc. of Post Falls, Idaho. "When you can literally -- through one source -- watch all the events on all the systems on your network, that just seemed to be an economics of scale we weren't going to get by just throwing personnel at the issue," he says, adding that the tool has also made it easier to keep an audit trail.
Though his organization doesn't get any security help from MSSPs, Casteel says it would be wrong to think Upper Chesapeake exists in a cocoon. "Everyone puts some degree of trust in outsiders," he says. "If you have an antivirus program, you're relying on someone like McAfee." And if you're using a security management appliance, you're still relying on a vendor like TriGeo, he adds.
Sector: Financial processing
Outsourcing: Network monitoring and auditing
Wayne Proctor is chief information security officer for Certegy Inc., a $1 billion St. Petersburg, Fla., company that provides credit card processing, check risk management and other services to financial institutions, retailers and consumers worldwide. Like Blackboard, Certegy ultimately determined some security outsourcing was necessary.
"It comes down to cost," Proctor says. "We'd like to do it ourselves, but monitoring software can get expensive. The biggest cost of in-house monitoring would be salary. You also need a third party for auditing. No one would respect the results unless it was [from] a third party. With security, there's too much risk and cost when you don't outsource some of it." Proctor declined to name specific MSSPs his company uses. But when shopping for the right provider, he says, "I value the well-established companies, those with a well-known and respected name in the industry. It's also important that they have multiple locations so if you need help and can't reach people in one center, you can get help from another center."
While he says network monitoring and auditing are appropriate for outsourcing, with several hundred IT staff, Proctor will go only so far. "I'm against outsourcing strategic controls," he says. That is, the company's security policies, employee awareness programs and actual control of network devices. "All our security tools, policies and procedures we maintain ourselves." It's helpful to have someone on the outside monitor network activity for suspicious patterns you might not recognize on your own. But in the end, the IT staff must have its hands on the controls, he says, adding, "That's the line we draw."
Gartner analyst Kavanagh believes that's a wise approach. "You should never leave outsiders to decide who to let on the system and how much access to give them. You should never leave it to an MSSP to write your user policies. An outsider can help you understand what the appropriate tech policies might be, but the company needs to write the policies and enforce them."
IT executives who put those strategic controls in outside hands risk becoming detached from the threats they face, Kavanagh adds. In-house IT staff might not be able to manage a security crisis on its own if it had to. "Giving up too much control means you don't have a good view of what your security situation is, because the in-house IT staff becomes too disconnected," Kavanagh says. "Typically, an MSSP doesn't make decisions on your behalf. They recommend a course of action and implement what you tell them they can implement. Here the danger is that you don't understand the implications of what the MSSP is recommending. That's why you'll always need in-house expertise."
Yankee Group analyst Phebe Waterfield agrees. If Yankee Group's 90% prediction is realized, she says the 10% of activities that remain in-house will include setting policies, monitoring communications and staff behavior, and tracking intellectual property.
Sector: Financial services
Outsourcing: Network monitoring, firewall management and IDS services
Ken Pfeil is chief security officer for Capital IQ, a New York-based division of Standard & Poor's and part of the $5.2 billion McGraw-Hill Companies. Capital IQ has a total of 1,100 employees, with 30 to 35 of them in the IT department. It also has an annual IT budget of up to $3 million with security accounting for 9% to 11% of that. The percentage includes spending for security outsourcing.
For network monitoring, firewall management and IDS, the company turns to Getronics in Billerica, Mass. "With firewall and IDS management, it makes more fiscal sense for us to outsource," Pfeil says.
The company also gets outside help on its application security. "We have someone come in, look at our applications and help us code more securely," he says. Two companies assist with that: New York-based Immunity Inc. and NT OBJECTives Inc. of Irvine, Calif.
"One of the risks of doing everything in-house is that you'll run into employee burnout," Pfeil says. "There are also the costs of training and technology and the cost of adding bodies. We're in a fast-paced environment and the tools and expertise of today could be obsolete tomorrow."
But he agrees you can't turn everything over to MSSPs. In fact, his in-house IT staff handles some tasks most enterprises are outsourcing. For starters, while MSSPs can sort out the mountain of network vulnerability reports and determine when there are patches or configuration workarounds to be had, Pfeil says his staff handles that on its own.
And while many enterprises look for outside help on regulatory compliance, Capital IQ shows it isn't always necessary.
"We've been hit with all sorts of regulations. Before S&P acquired us, we were affected by Sarbanes-Oxley. Now we're also under Gramm-Leach-Bliley and SEC regulations," Pfeil says. "But for now, we can handle compliance in-house. We don't have a complex environment, and the corporate office has been very clear about who is responsible for what. There are clear and concise goals and objectives and officers whose job is to know the regulations. That's been key."