Companies consider outsourcing security ops

One of the last bastions of corporate computing appears to be ready to fall to the outsourcing wave.

A number of leading security and services vendors, including Accent, Network Associates and Trend Micro, are rolling out products and services that offer to unload the burdens associated with protecting a company's resources from hackers and viruses entering via the Internet.

The thought of handing over management of a company's security operations might have been unheard of just a few years, or even months, ago. But as corporations increasingly consider outsourcing mission-critical applications, such as PeopleSoft or SAP, they're also beginning to ask, "Why not security?"

Michael Burke, vice president of technology planning at Bank One, said most companies will walk, not run into decisions to outsource their security operations, but he believes it's only a matter of time before it becomes a common practice.

Scouting talent

"You have to consider what's happening in the marketplace," said Burke, who took part in a panel on outsourcing at last week's Networld+Interop in Atlanta. "You can't get the talent in-house, or attract the talent because these people [security professionals] are in such high demand.

"You want to make sure that you set the policies, and you determine the direction - but otherwise it makes sense to take advantage of the expertise that might be available out there [from outsourcers]."

Network Associates, with partners that include Frontier Communications, is making an aggressive push into the emerging market, rolling out a series of products and services last week under the "e-ppliance" banner. The e-ppliance product family offers anti-virus, firewall and virtual private network capabilities in a single plug-and-play box. The security device can be managed in-house, but Network Associates believes an increasing number of corporations will opt to have the appliances managed remotely by Internet service providers, telephone companies or security consulting firms. It announced a deal with Frontier Communications that will see Frontier offer outsourced security management services to its clients using Network Associates hardware.

Network Associates also will provide its own staff and consultants to Frontier, based in Frontier's Detroit offices.

The companies said they will begin customer trials next month with widespread availability in the first quarter of 2000.

Bill Larson, president and chief executive at Network Associates, said a number of factors are coming together to drive companies toward security outsourcing. The most obvious is the lack of skilled security personnel. He pointed to a recent Ernst & Young study, which found at least 55 percent of companies don't have enough staff to monitor e-business security.

The second driver is the difficulty in keeping up with new viruses and forms of hacker attacks. Close to 1,000 new viruses are being reported every month.

Viral protection

The third, and perhaps most important driver, is the need to create a uniform level of security among members of value chains. The developing Automotive Network Exchange, a network representing 38,000 small and mid-sized suppliers to the Big Three automakers, is dictating that those suppliers adhere to certain security requirements. Larson said for many of those smaller suppliers, remotely managed security suites may be the only viable alternative.

"I tell you that in a year from now, there won't be a firewall market, or an anti-virus market, or an intrusion detection market," he said. "There will simply be a security system market."

Network Associates isn't alone in pursuing the outsourced model. Accent bought services firm Secure Network Consulting to distribute and manage its security products. And then earlier this month, anti-virus vendor Trend Micro announced it had struck deals with Sprint and U S West. Those companies will offer Trend's anti-virus technology to their clients at the network level.

Trend said the service won't eliminate the need for anti-virus software on the desktop, because viruses could still enter the corporate network from floppies or malicious employees. However, the service will extend the perimeter of defense and hopefully eliminate outbreaks such as the Melissa virus.

Remote imperative

Eric Hemmendinger, a senior analyst at Aberdeen Group, said most security vendors will have to move toward remotely managed offerings, if they are to compete in the new computing world.

"We believe the demand already exists," he said. "The companies we talk to are struggling to keep their staff. Once they train a guy really well to do it [manage their security infrastructure], he's out the door because he can get more on the open market."

Still, not everyone is convinced. Larry Thomas, assistant director of information systems at Florida Atlantic University in Boca Raton, Fla., said that no matter how dire the need, it would be tough for him to turn over systems security to an outsider.

"I'm not ready to do it," he said. "I think a lot of people are going to have trouble outsourcing something so integral to their business."