Offloading security strategy and day-to-day operations to a managed security service provider can free up IT resources. But be prepared: It’s not an entirely hands-off proposition.
Phenix Energy Group, an oil pipeline operator and construction company, is preparing to take its IT infrastructure from zero to 60 in a matter of months. To get a years-in-the-making pipeline project off the ground, the company is preparing to grow from a relatively small office environment to a data center setting of 75 servers and 250TB of storage. As a result, security, which hasn’t been a top priority, is suddenly a big deal, according to CIO and COO Bruce Perrin.
Given the high stakes — a downed system could cost about $1 million an hour — Perrin has spent the past five years researching options. While he’d prefer to run security in-house as part of an on-premises data center, Perrin is leaning toward outsourcing the function, at least initially, because he doesn’t have time to staff up a dedicated information security department in the few scant months before the pipeline goes online.
“This project is huge. No one person is capable of managing this kind of IT deployment in 90 days,” says Perrin, who’s evaluating IT security value-added resellers and managed security service providers (MSSP). “I don’t have an alternative to outsourcing — I need to bring someone in who can provide the security level we need and help us with the deployment, with the ultimate goal of moving everything to on-premises.”
Why outsourcing security makes sense
Just like Phenix Energy Group, many small and midsize companies are gravitating toward an outsourced model for security and day-to-day operations, given the increasing number of data breaches and the heightened focus on risk. In a recent survey of 287 U.S.-based IT and business professionals conducted by CIO, CSO and Computerworld, 56 percent of the respondents said that their organizations are enlisting outside consultants to help with information security strategy, and 40 percent said they’re turning to MSSPs.
According to the survey, the top functions being outsourced are penetration testing/threat assessments (cited by 70 percent of the 190 respondents who said they’re turning to consultants and MSSPs), spam filtering (46 percent), threat intelligence (40 percent), log monitoring (34 percent), anti-DDoS/web application firewall protections (27 percent), business continuity and disaster recovery (26 percent) and awareness training (22 percent).
Outsourcing security functions appeals to small and midsize shops in particular because their resources are often already stretched thin and most lack the bandwidth to adequately perform security functions, experts say. Smaller organizations are also less likely to have people with specialized security skills who can focus on staying on top of a continually shifting landscape.