Organisations are all struggling to manage tight information security budgets while threats continue to rise. For some companies, however, managing systems in-house can become too burdensome, and it makes sense to look at outsourcing security – whether it's all or part of the security function -- to a managed service supplier, or a cloud-based service.
Some aspects of security have tended to be more acceptable than others for outsourcing. For instance, many companies use a cloud-based management service to filter incoming email rather than have their own gateways clogged by the high levels of spam – currently hovering at around 90% of total email traffic by most estimates.
Tedious and specialised jobs, such as analysing logs from intrusion detection systems, are also often farmed out to third parties to manage.
But for the most part, all but the smallest organisations have hesitated about going any further and leaving their security to others. Smaller organisations have traditionally been more open to outsourcing security because they lack the in-house resources to manage the task themselves. But according to Rob Newburn, head of the security division at York-based software management specialists Trustmarque Solutions Ltd, that is now changing, particularly in the public sector.
"We are seeing a growth of managed services – especially for Web and email security," he said. "This used to be confined to small organisations, but now some large London boroughs have gone that way, and although volumes are not large yet, there is increasing interest in the public sector." Newburn said the expected cut in public sector spending will accelerate the process over the next 18 months.
Peter Wood, head of West Sussex-based First Base Technologies Ltd., a penetration testing company, echoes that view. "There has been a definite increase in outsourcing," he said. "We find that when we are testing a system, we find it's often a third party that's running it for the customer. There is definitely a trend to try and outsource the risk."
However, calculating the cost savings of outsourcing security can be a complex task, as companies may save some staff, hardware, office space and energy, as well as the cost of software licences. That then has to be set against the cost of the managed service, which is usually charged on a per-seat basis.
One study that looked at this was done by Osterman Research Inc., a U.S.-based consultancy, in February 2009. The study was commissioned by Proofpoint Inc., an email security vendor, and set out to compare the cost of an in-house email security solution with a similar Software as a Service (SaaS) offering.
The report proposed a number of different scenarios, but in most cases, the SaaS option delivered significant savings over the true cost of running an in-house system. For instance, a finance company with 1,000 users could expect the annual cost per user to come down from $192.88 to $26.48. Savings at a large college with 20,000 users, for example, would be less -- from $46.61 to $20.32.
The figures look attractive, but email is probably one of the easiest applications to justify in terms of outsourcing security. Others may be harder to rationalize, and as Wood said, the main motivation for outsourcing security may be just to offload the risk and responsibility.
In those cases, the economic case may be harder to prove. "In our experience, all it does is add another layer of management," said Wood. "It just consumes budget in a very unconstructive way."