Regulations are pushing users to outsource security management

The number of businesses outsourcing management of their corporate security is set to surge, according to analyst firm Gartner.

The number of businesses outsourcing management of their corporate security is set to surge, according to analyst firm Gartner.

The increasing burden of corporate governance regulations will see the market for security management grow from £436m to £788m by 2007.

Compliance is not the only issue driving this spending. Businesses are also realising they can reduce costs and achieve better protection by outsourcing repetitive tasks, such as monitoring firewalls and intrusion detection systems, said analyst Khalda Parveen.

The analyst group cited the example of an engineering company reducing its security management costs by a factor of four, from £1m to £250,000, through outsourcing.

For regulated businesses in the financial services industry or healthcare for example, outsourcing security management can help companies demonstrate to regulatory bodies they are taking security seriously, said Parveen.

"It is quite hard to recruit and maintain people internally to catch all the incidents. Outsourcing offers you the benefit of 24/7 monitoring. The chances of all malicious attacks only happening in business hours is not that high."

However, organisations considering outsourcing should take precautions against a likely consolidation among suppliers, according to Gartner.

"The market is too fragmented. Everyone has jumped on the bandwagon. We have telcos offering services, pure play suppliers, systems integrators, network integrators and real niche providers," Parveen said.

IT departments need to make sure contracts contain provisions that give them flexibility if their supplier is taken over, goes out of business or if the needs of the IT department change, said Gartner.

In particular, they should ask for service level agreements tailored to their needs and not simply sign the supplier's standard agreements, said Parveen.

Evaluating managed service providers

  • Check the supplier's experience and ask for references. Ask how experienced individual staff are
  • Ask to see corporate qualifications
  • Find out the service methodology: will the firm be collecting data? Will it provide security alerts? How will you receive the reports?
  • Check the background of the firm
  • Sign a service level agreement
  • Check the contract for any third-party relations, and for notification of any escalation in service changes
  • Is there a one-off initial charge as well as monthly charges?
  • Where will the liability lie in the event of a security breach?

Source: Gartner

Read more on IT risk management