Last year, ESL Federal Credit Union's email security gateways caught about 400,000 spam messages a month. Unfortunately, that wasn't good enough. The IT and help desk staff was still spending three or four hours a day "responding to calls from our end users about getting too much spam mail or missing important emails that were being blocked," says Michael Armbruster, CIO at the Rochester, N.Y.-based credit union.
Rather than continue the struggle against spam on its own, ESL brought in Postini Inc., a managed security service provider (MSSP) that specializes in protecting customers against spam, viruses, phishing and other email-based threats through automated encryption and other means.
Hard savings using an MSSP
ESL is hardly alone in turning to a third party to aid it in the battle against spam. In a recent Forrester Consulting survey of security decision makers, almost half of the 146 respondents said they would consider turning over elements of their security operations to an MSSP.
And why not? The payback can be impressive. According to a September 2006 Forrester study commissioned by MSSP SecureWorks Inc., a multibilllion dollar SecureWorks customer realized a three year, risk-adjusted ROI of 267%, or $2,273,572. The ROI calculation took into account total service fees of $943,500 and internal administrative costs of $73,440. Among the avoided costs were $3,375,000 for an internal security team, and $150,000 in software and hardware. Forrester estimated that the firm also saved $450,000 through reduced risk of loss from a security breach.
Soft benefits from service providers
Of course, not all companies will realize such impressive benefits. ESL, for example, saved only a few thousand dollars a year by freeing up a couple of servers and getting rid of one of its email security gateways, reported Ray Kaforey, the credit union's network services manager. Personnel cost savings are also likely to be smaller for organizations, like ESL, that do not have dedicated security teams in the first place.
Still, ESL reported significant savings in administrative overhead after using an MSSP. "While the pure cost of the Postini service is higher than for the previously utilized internal solutions, we feel that we have saved money by reducing help desk calls related to email and spam problems," Armbruster noted.
Case in point: Postini's Message Center helped ESL reduce administrative overhead by enabling employees to check their spam queues and recover genuine emails on their own, without calling on IT staff. "As a result, our internal IT staff people are able to focus on higher-value tasks and meeting the needs of our end users."
Another benefit of the shared, on-demand service provider model is it gives midrange companies access to a depth and breadth of expertise and support that go well beyond their IT budget and internal staff resources.
While a properly configured security appliance, for example, can block the majority of intrusion attempts, human technicians need to regularly monitor events, analyze suspicious or anomalous patterns and determine whether immediate action is needed. On top of that, there's the ongoing job of fine-tuning and updating security systems.
"Intrusion prevention systems are high-maintenance," said Thelma Dell, director of information security at Teachers Credit Union in South Bend, Ind. TCU's MSSP, Atlanta-based SecureWorks, provides a level of intrusion detection and prevention that TCU could never reach on its own, Dell said. Technicians constantly monitor hacker activities and conversations on the Web, enabling SecureWorks to identify and counter new attacks before they cause harm. "You can't do that unless it's your core business."
The most important benefit for companies that turn to MSSPs, however, is "the peace of mind we get from knowing they're responding to new threats quickly," ESL's Armbruster said. New threats are mitigated in hours, whereas ESL's in-house staff sometimes took days.
What to keep "in-house"
Regardless of how expert and sophisticated an MSSP's offerings may be, businesses tend to be leery of turning over their entire security operations to an outside vendor, and companies should consider keeping at least some security functions in-house.
While the pure cost of ... Postini ... is higher than for the previously utilized internal solutions, we feel that we have saved money by reducing help desk calls related to email and spam.
Michael Armbruster, CIO, ESL Federal Credit Union
ESL, for example, retained its SMTP gateway from Symantec Corp. "as a second layer of defense," Kaforey said. It also maintains "numerous other hardware and software security systems," including intrusion prevention and detection, multiple firewalls and a Cisco Security Monitoring, Analysis and Response System.
In-house IT and security staffs need to maintain knowledge of a company's security operations, noted Maxine Holt, a senior researcher at Butler Group. One reason: The company may decide to bring security operations back in-house, or switch to another security service provider.
Communication key to service provider relationships
Furthermore, a business needs to actively manage its service provider relationships, "particularly when the SP is responsible for your security," Holt says. "You need to understand what services are being delivered, whether SLAs are being met. You need to establish the ground rules, responsibilities between the internal IT and SP staff, like who's responsible when there's a problem. And you need to know how many people you are paying for."
An active relationship between company and service provider takes up staff resources. The average MSSP outsourcing agreement requires 4% to 8% of the total contract value dedicated to "management and governance" by internal staff, Forrester estimates. Using the midpoint of 6%, Forrester assumes the client's internal labor cost is $18,720 per year.
And some security responsibilities simply can't be outsourced. "Security threats like phishing require enterprise involvement" and awareness campaigns that may even extend beyond the company, to business partners and customers, TCU's Dell said.
Ensuring that communication channels remain open and active, however, is the MSSP's responsibility. For example, Postini provides a customer support portal, through which ESL's IT staff can submit and manage cases, review documentation, manage contacts and monitor the status of Postini's security systems, Kaforey said.
Nevertheless, Kaforey expressed a wish that Postini would be a bit more proactive, particularly when it comes to ongoing support. "It's easy to get a response when we need to resolve an issue, but I'd like them to initiate a biannual or quarterly review, to contact us and ask how things are going, whether they should go through our configurations, whether there's any way they can improve performance," he notes.
Kaforey said he would also like to be notified when Postini announces new products and features his company might find useful.
Overall though, Kaforey and Armbruster said they are extremely pleased with ESL's relationship with Postini: Spam volume is down, while peace of mind and ROI are up. "Initial setup and ongoing support have been great," Armbruster said. "We all just wish we'd done it sooner."
Elisabeth Horwitt is a freelance writer based in Waban, Mass.