Most companies are spending about 1% of their IT budgets on security when they should be spending in the 3% to 5% range, said Earl Perkins, senior program director with the META Group's Security Infusion team based in New Orleans.
Speaking at the recent E-Security Conference and Expo in Boston, Perkins said spending does vary by industry, with financial services firms pending 7% to 9% on security, and manufacturing companies spending 3% to 5%. Example security budget line items, in descending order of deployment percentages as found by META Group's research, include: virus protection, firewalls, virtual private networks (VPN), application encryption, intrusion detection, vulnerability assessment, strong authentication and pubic key infrastructure (PKI).
Companies that commit to a high security standard are considering hiring from a new segment of service provider, namely managed security services firms. These firms are cropping up in response to two key trends: security is becoming a higher-level management concern, and security expertise is in short supply.
The managed security service players are stepping in, seeing an opportunity. A recent META survey found that 20% of companies surveyed are currently using a security service and 37% are considering it. But companies need to make a business case internally for why security needs to be managed externally, not an easy case to make for many companies. Perkins suggested IT managers should focus on the critical security stress points when making plans.
To make the assessment of whether your company is a fit for managed services, ask these questions:
- Is your expertise in e-security advanced?
- Do you have any staff with the time to handle the responsibility?
- If you do have the expertise on staff, can the work be done in a timely manner?
- Is outsourcing of e-security too sensitive for your organization?
- What are the strengths of your IT organization?
META research shows the most important issues for IT organizations considering a security service, with most important listed first, are: technical capabilities, escalation procedures, penalty clauses in contacts, and the vertical market experience of the provider.
Once the decision has been made to seek a service firm, Perkins strongly advised the use of a request for proposal (RFP). The document forces the organization to conduct a detailed assessment of its needs, including the state of its own policies. Then the evaluation team engages in a detailed evaluation of the service providers. This should define the organization's needs in a priority order, and rate the service firms according to how well they can meet the requirements. The firms should also be rated according to their business maturity.
"You need someone in the organization to manage the contract, to serve as a liaison between the service provider and the enterprise, " Perkins said. "That interface must be defined properly. It could make or break the relationship."
META's research found that products currently outsourced, most popular first, were: firewalls, virus protection, vulnerability assessment, VPN, PKI, application encryption, strong authentication and intrusion detection.
Managed Security Service Firm Landscape
META defines four broad categories of security services providers: planning and designing firms, which can be large consultancies or small, boutique firms; builders, such as value added resellers and network/system integrators; operators, including carriers and ISPs; and legacy outsourcers.
"Be careful about the agreements you make with these companies, and don't believe everything they say they can do," Perkins advised.
He divided the players into four critical security areas - firewalls, VPNs, intrusion detection and PKI - while outlining concerns in each one.
Concerns in the firewall area include maintenance practices, time to make changes, limits and fees for changes each month, external management channel, time to notification, management and reporting, and pricing.
For VPN providers, consider client/user management, reporting and real-time monitoring, performance of the provider's backbone network, support for off-net users, interoperability, availability and latency.
Concerns in the intrusion detection area include: alerts vs. analysis; alert vs. reactions; data management overhead; product weaknesses and evolution; pricing; and assessing expertise.
In the PKI area, concerns include trust position, division of responsibilities, scope of services, physical security, and product lock-in and interoperability.
The specific players Perkins mapped to the firewall service provider area include: Genuity, Spring, UUNET, Salinas, NetSolve, Ubizen, DefendNet, Riptech, Internet Security Systems (ISS), Lucent, Compaq, Unisys, Telenisus, Pilot Network Services, PacBell and Concert.
Companies he mapped to the VPN area include: Genuity, UUNET, AT&T, PacBell, Sprint, Equant and Infonet. Companies he identified in the intrusion detection area included: ISS, Counterpane, NetSolve, Telenisus, Pilot Network Services, Qualys and METASeS. Companies he outlined in the PKI area included: Verisign, Baltimore, Entrust, Valicert, beTRUSTed and Identrus.
As the managed security service market matures, players are likely to emerge that combine firewall, VPN, PKI, directory, hosting, management, billing, transport, privacy and other services. He calls such providers Extranet Service Providers (ESPs), but doesn't expect them emerge until 2003.
Other security services that may be offered in the future include reporting and log analysis, strong authentication, and secure utilities.