If that weren’t enough, there’s the burden of laws and regulations that have banks struggling to avoid being choked by red tape. The U.S.A. Patriot Act, under its “know your customer rules,” requires banks to authenticate the identities of new customers and ensure that personal information is secure. The Sarbanes-Oxley law requires banks to implement access controls to data and computer programs that contain sensitive information. And Basel II, the new regulatory capital regime that takes effect next year, requires that banks monitor operational risks, including computer breaches.

The Business Case

The business case for outsourcing information security is a sound one — experts say. Managed-security services is one of the fastest growing market segments in the security marketplace, according to Gartner. Gartner reports that as of 2005, 60% of enterprises were outsourcing the monitoring of at least one network boundary security technology. According to IDC, as of 2004, security services was a $16.5 billion industry with a compound annual growth rate of 35%.

In a managed-security deal, the organization shares information-security risk and business risk with the managed-services provider. Such deals provide access to a range of security services and to skilled staff whose full-time job is security.

According to the CERT Coordination Center of Carnegie Mellon University, such services may include network- boundary protection (including managed services for firewalls, intrusion-detection systems and virtual-private networks); security monitoring; incident management (including emergency response and forensic analysis); vulnerability assessment and penetration testing; anti-virus and content-filtering services; information-security risk assessments; data archiving and restoration and on-site consulting.

The cost of a managed-security service is typically less than hiring in-house, full-time security experts. For example, a managed-security provider can set up and monitor security on a 250-user network on a single T1 (1.5 Mbps) Internet gateway for about $75,000 a year, excluding hardware. Replicating these actions within the organization produces similar hardware costs, plus at least $240,000 in annual compensation to hire three full-time specialists.

A shortage of qualified information-security personnel puts tremendous pressure on IT departments to recruit, train, compensate and retain critical staff. The cost of in-house network-security specialists can be prohibitive. In an outsourcing deal, the costs to hire, train and retain highly skilled staff becomes the service provider’s responsibility.

A managed-security provider can offer an independent perspective on the security posture of an organization and help maintain a system of checks and balances with in-house personnel. It can thus provide an integrated, more coherent solution, thereby eliminating redundant effort, hardware and software.

When an organization contracts for security-monitoring services, the service can report near real-time results, 24 hours a day, seven days a week and 365 days a year. This is a large contrast with an in-house service that may only operate during normal business hours. Service-security solutions and technologies such as firewalls, intrusion-detection systems, virtual private networks and vulnerability-assessment tools are far more effective when they are managed and monitored by skilled security professionals. For example, when an intrusion is detected, service providers can use a remote monitoring connection to determine whether the alarm is justified and block further intruder actions. A managed service can protect the client’s network from unsecured VPN endpoints for products developed by the Managed Services Security Provider (MSSP), and used in their services, the client organization receives an enhanced level of product support.

Risk Mitigation

In deciding to retain an MSSP, an organization needs to treat the potential action as a risk mitigation sharing decision. When weighing the risks, banks need to consider issues such as trust, dependence and ownership.

Establishing a good working relationship and building trust between a client and service provider is critical in deciding whether to outsource security services. Any service provider has access to sensitive client information and details about the client’s security posture and vulnerabilities. The intentional or inadvertent public release of such information can be extremely damaging to the client. A signed confidentiality agreement enacted in the later stages of contract negotiations can help mitigate this risk.