INSIDE OUTSOURCING
New choices are available in information security outsourcing these days, spurred by factors that include proliferating federal regulations, terrorist threats, natural disasters like Hurricane Katrina and growing convergence with physical security. Information security specializations are emerging and widening across both vertical arenas such as government, healthcare and transportation, and functional areas, such as cargo protection and criminal forensics.
By the year 2010, 90 percent of all enterprise information security will be outsourced, according to a widely cited study by the Yankee Group, Boston. Even for large enterprises, skilled information security professionals are hard to find and costly to keep on board; thus, outsourcing is becoming more popular.
Moreover, with increasing complexity in the security field, these difficulties are magnified for many businesses and government agencies, both large and small. The healthcare industry, for example, now faces HIPAA, a set of federal regulations calling for privacy rights around medical records.
Prior to HIPAA, physicians and hospitals were relatively slow to automate. Most doctors today do not even have a full-time IT person on staff, let alone a specialist in either information security or HIPAA compliance, says Manfred Sternberg, CEO of Bluegate Corp., Houston.
“‘Dr. Bob’ should not have to know about what to do about (computer) servers and e-mail systems,” Sternberg says. “Maybe he’s been using the brother-in-law of his office assistant (as a part-time IT consultant). But now, all the records in doctors’ offices need to be computerized (and made) secure. If the system goes down, do you want ‘Dr. Bob’ to have to go stand in line at Best Buy? That just wouldn’t be an efficient use of his time.”
What sorts of information security outsourcing services are available to government and businesses? Traditional choices revolve around two acronyms, each starting with “M” for “Managed.” MSPs (managed service providers) generally outsource information security in addition to other related functions, such as managing an organization’s Web site. In contrast, MSSPs (managed security service providers) typically address information security outsourcing only.
Types of information security services offered by MSPs and MSSPs can include: 24-hour off-site security operations centers; intrusion detection for fending off hackers; remote management for controlling access to computer networks by mobile employees and work-at-homers; risk assessment; and content filtering to stop spam, computer viruses and other undesirable data from entering the network via the Internet.
Over the past few years, traditional MSSPs such as TruSecure, Herndon, Va., and Atlanta-based Internet Security Systems have been getting a lot of company in the information security outsourcing ring. So have MSPs such as Armonk, N.Y.-based IBM Global Services and Hawthorne, N.Y.-based Xand.
Other players offering information security outsourcing include telephone and Internet service providers such as AT&T and Sprint; business consulting services such as Accenture; and a potpourri of different ASPs (application service providers) — a breed of provider that runs applications on its own Web servers and rents this software for Internet-based access by customers.
The much-ballyhooed convergence between physical and information security is cropping up in outsourcing, too. For instance, beyond information security, IBM runs a number of other IT and business consulting practices. One upcoming initiative has IBM planning to launch a new framework called GMM (Global Movement Management), according to W. Scott Gould, IBM’s vice president for Public Sector Strategy and Change.
Although not an outsourcing service in and of itself, GMM will bring together experts from a variety of disciplines within IBM. They will collaborate on securing information and physical cargo assets — along with other “key flows” such as people, conveyances and money — in the global economy against disruptive threats and on “building resiliency into the system,” Gould says.
GMM will also work with industry groups to promote standardization of the initiative, which centers around two prongs: a systems architecture and a governance structure.
Fears of terrorist attacks have played into outsourcing activity ever since the Sept. 11 attacks. This year, in response to Hurricanes Katrina and Rita, organizations have been particularly active in seeking help to keep their computers safe from the impact of natural disasters.
For example, just before Rita touched down in Texas, Bluegate received and honored a number of phone requests for secure data back-up services, Sternberg says. After hearing about Katrina’s devastation in Louisiana and Alabama, healthcare providers in the Houston region worried that their own computer data might get swept away by a hurricane.
At the same time, consultants in areas of physical security such as criminal forensics are now working in specialized areas of information security. Ronald R. DeLia, managing director for the Due Diligence practice at Boston-based Security Solutions Outsourcing Inc., points out that forensics still entails deep knowledge in the physical security arena. “Many employees who do something wrong attempt to destroy the documents,” DeLia says. In cases involving destruction of paper documents, it’s important to know the difference between crosscut and straightcut paper shredding machines.
“Crosscut machines are more expensive, so a lot of people do not use them. But documents shredded with straightcut machines can sometimes be pieced together,” DiLea says. “But our business has changed dramatically. It’s a global economy, and we have affiliations all over the world. We are not ‘gumshoes’ any more. We use a lot of computer-based tools.”
When documents are computer-based, wrongdoers will often try to erase them from the PC, sometimes going as far as “scrubbing” the hard drive in an attempt to delete all data.
“It used to be almost impossible to find data on a hard drive that had been scrubbed. But now there are tools available for dealing with these situations, DiLea says.
All along the way, some information security outsourcers have been targeting specific vertical markets. Founded in 1998 by government security experts, NetSec, Herndon, Va., has seen its customer roster expand to include five of the 10 largest corporations in the world. The company claims to have more federal government customers on its own roster than any other MSSP.
Today, however, verticalization is moving faster than ever, according to some experts. In May of this year, for example, MSSP SonicWall, Sunnyvale, Calif., added a Government Systems Group for both federal and state agencies, teaming up with the Federal Solutions Group, Vienna, Va., in this market.
IBM’s upcoming GMM will also be organized along vertical lines, Gould says. As an initial target, IBM is eyeing the travel and transportation industry.
As Sternberg sees it, doctors and hospitals need outsourcing help right now. In fact, the opportunity is so strong that the Bluegate recently acquired Trilliant Corp., Houston, an outsourcer specializing in services around medical accounting, clinical information applications, physician-order entry and enterprise gateways that stand between hospital networks and the Internet.
Beyond HIPAA, other government regulations are driving outsourcing activities, too. Security Solutions Outsourcing Inc., for example, still spends a lot of time on fraud cases and on doing criminal background checks on corporate officers in mergers and acquisitions.