|
Outsourcing security doesn't necessarily mean giving away the keys to the kingdom. Rachel Lebihan talks to CIOs who have handed over the gatekeeping to others.
Call it a momentary lapse of judgement or a case of being swept along by the outsourcing wave. But Westpac's decision to relinquish IT security to an external provider is something chief information security officer David Backley had been trying to rectify for years.
With IT security now back under the bank's control, and a tempestuous period with its outsourcing partner behind it, Backley has been reflecting upon where the Australian bank went wrong. Easing internal pressures by outsourcing some aspects of security, yet retaining responsibility for safeguarding a company's confidential information, its ability to transact electronically and its reputation requires the achievement of a delicate balance. And Westpac, it seems, tipped the scales too far to one side when it offloaded all of its IT security to IBM global service.
Backley says there were no gaps in IBM's work (although the Sasser worm took 800 branch computers offline for almost two days despite a software patch being available for about three weeks). But the bank was uneasy at having lost control of such a crucial part of its business.
"From my perspective, with a number of years of experience in the industry both in banking and technology," Backley says, "I don't think an organisation can outsource its governance and its policy making. But it can outsource tasks. It can also outsource services, which we have done." Under a new and more balanced arrangement with IBM, Westpac develops and controls IT security policy and governance. IBM sticks to providing security services.
The IT security outsourcing conundrum is not uncommon. IT and security managers are generally loath to let go of something that, if handled badly, can have dire consequences on the business.
With targeted attacks on businesses on the rise and attackers increasingly motivated by financial gain, organisations want to keep as close an eye as possible on security measures and this often means keeping much of it under the control of a dedicated internal team.
At the same time, an outsourcer or managed service provider might be better resourced to handle specific problems. At the Australian Taxation Office, safeguarding sensitive taxpayer information is considered to be far too important to put into an external provider's hands. Second commissioner Greg Farr says that as technology becomes more ingrained in business such as in the ATO's own increased electronic dealings with taxpayers, it is inevitable that organisations will increasingly turn to external sources to help mitigate risk.
However, the risk is too great for the tax office to outsource IT security, Farr says. For other businesses, particularly smaller outfits, he says outsourcing IT security is more of an option. The ATO even manages its own email monitoring and filtering, which is probably the most commonly outsourced security service.
While the ATO went to tender earlier this year for a panel of IT security service providers, Farr says this does not really equate to outsourcing. The panel will provide security services in six categories, including investigation services, security assessments and audit services.
It will predominantly provide consultancy-type advice, and members will be brought in to the office periodically to work on short-term projects or particular security issues. "All the security policies, strategies, configurations, etc, we retain in-house and the intention is to retain that in-house," Farr says. "The panel is not to replace but supplement the quite considerable security presence we have. Community confidence to deal securely with the tax office is something we would not contemplate passing off to someone else."
However, sometimes the benefits of outsourcing elements of IT security outweigh the risks.
Outsourcing some security
A clear winner in this regard is spam filtering, which many companies say is time-consuming to manage internally and provides little reward for staff whose time would be better spent working on other security issues. Vice-president of research at Gartner, Rich Mogull, baulks at the idea of an organisation outsourcing its entire security portfolio. However, he says good contenders to be managed externally include firewall management, intrusion protection and anti-virus control, things an organisation doesn't necessarily need to monitor daily, or areas that generate minor alerts which distract the business from core functions.
"We call that 'security in the cloud' because there are some things, such as certain types of generic attacks like traffic denial of service attacks and certain types of hacker attacks that you should never have to deal with," Mogull says. "Just let a service provider take care of all of that for you before it gets to you."
Computer Science Corporation, an IT outsourcer itself that looks after security, made the move to offload its own email and spam filtering to MessageLabs just over a year ago. CSC Australia previously managed it in-house, but its former CIO, Emily Richmond-Jones, says it consumed too much resources.
In a company-wide move, CSC Australia is shifting away from using the .au email extension to .com. The latter is more targeted by spammers so CSC's already large workload is expected to increase. Richmond-Jones says that one of the benefits of outsourcing email filtering is that internal employees can concentrate on more "value-add" work, such as monitoring wireless networks, forensic analysis and participating in CSC's worldwide incident response team.
"As an outsourcer it's good to eat your own cooking sometimes, but it's also good to recognise that doing it yourself is not always the right answer," she says. "We did the maths and it made more sense to outsource that aspect to someone who made it their life." Backley also says the most obvious value-add security service that Westpac has outsourced completely, and outside of IBM, is email and spam filtering.
Westpac saw the advantages of using a global provider that was more likely to have seen security threats such as worms and viruses overseas first, therefore better enabling it to protect the bank should the threat spread to Australia.
"They have a networked advantage of seeing much more than we see on our own," Backley says.
Engineering and professional services firm GHD also uses MessageLabs' email filtering service. CIO Trevor Hazlewood says the problems the company had with managing it in-house were practical ones, such as manually having to vet a lot of content (particularly photographs and PowerPoint content) 24 hours a day, seven days a week for about 4,500 staff. This led to a lot of delays, particularly after-hours.
Managing the mail filter also took up to 50 to 60 per cent of an employee's time, and it had to be checked every half hour, so the employee didn't get to other tasks. When it wasn't "pretty mindless" work, security staff were exposed to some offensive material, Hazlewood says. An automated managed service got rid of those problems, although Hazlewood is not convinced that outsourcing other aspects of security is the right move.
"Security is something you have to take ownership and responsibility for ... outsourcing it is really based on trust and performance and, from our point of view, it would cost us a lot more to pursue that than to do it internally," he says. "We have our own security specialists, so it's not as if it's an area not already well-covered."
It has taken Westpac a significant amount of time to regain control of its IT security. It was outsourced to IBM in 2000 as part of the bank's wider 10-year, US$3.3 billion IT and telecommunications contract with the group. In 2003, Westpac began to bring it back in-house, a move that opened up a can of worms and put pressure on its partnership with IBM. It took until late last year to establish a framework of responsibility that kept both sides happy.
Despite this tumultuous time, Backley has kept an open mind on outsourcing.
Asked if there are some aspects of IT security that should never be outsourced, he simply says: "Never is a long time."
By any other name
When email filtering is looked after by an external provider, has it technically been outsourced, or is it a managed service?
Two CIOs referred to it as outsourcing initially, then had second thoughts.
"This is service that is outsourced rather than outsourcing something involving suppliers or people's skills," Trevor Hazlewood, CIO at professional services firm GHD, says.
"Is it outsourcing? Yes, but at the same time it's not. It's an automated service rather than anything else."
CSC Australia former CIO Emily Richmond-Jones says the difference between an outsourced service and a managed service largely comes down to the breadth and size of the work.
"Email filtering is probably more a managed service, that's probably a better term, because we haven't actually outsourced our mail service in any way, we just have MessageLabs ensuring that spam and viruses don't come through," she says.
Words of advice
Gartner's vice-president of research, Rich Mogull, offers some advice to organisations that are considering outsourcing IT security.
- If you try to outsource core functions, its just not going to work for you or your outsourcer. The thing with security is that while you can outsource management, you can't outsource the risk. You're always going to have to hold on to the risk yourself. So you want to be careful that you're not potentially creating a bigger pitfall by trying to outsource key areas.
- As with any outsourcing, watch your contracts and your service level agreements. You don't want to be caught in a contract with an unresponsive outsourcer, someone who can't meet your needs.
- The most important thing to remember is to have good metrics and service-level agreements, as well as measurable response times.
- If a configuration needs to be changed in response to a new threat, what are the timelines for that to be put in place?
- Overview is important. If you outsource something, you should have the ability to overview its management. It should not be treated like a black box that you can't touch, especially if it's a security function.
|