How far should you trust an outsider to protect your infrastructure?
- By William Jackson
- Oct 01, 2007
It's the worst nightmare for any agency information technology official: A headline on Page 1 of the Washington Post that the company you hired to protect your network was looking the other way when hackers broke in.
That was the situation at the Homeland Security Department last month, when it was revealed that Unisys, which had contacts worth $1.7 billion to provide intrusion detection for DHS headquarters systems, failed to detect network intrusions that went on for three months while an estimated 150 computers were broken into. Unisys is alleged to have covered up the incidents, and now the FBI is investigating.
This is exactly why managed security services has been a dirty phrase in many federal agencies. There just seems to be something wrong about handing the family jewels over to a hired gun. If something is worth protecting, shouldn't you do it yourself?
Maybe. But like it or not, agencies are being driven to consider managed security services, and the federal market research company INPUT says government is likely to be a growing ' although cautious ' market for service providers. They are being pushed to it by a combination of financial and regulatory requirements, said Chris Campbell, senior market analyst at INPUT.
'They are having to grapple with increasingly tight budgets, and OMB is constantly putting pressure on them to focus on core missions,' Campbell said. 'And IT services is not part of any one agency's mission.'
Coupled with this is the challenge of hiring and keeping trained employees capable of handling the increasingly specialized, complex job of managing and protecting IT systems. The government, with its aging workforce and lower pay scales than much of the private sector, could be hit particularly hard by manpower issues, although so far it has managed to avoid the worst of them.
'Everyone has predicted this would be a bigger issue than it has yet become,' Campbell said. What government employment lacks in upfront pay it makes up for somewhat in benefits and job security, and many people are staying on the job longer. But staffing will inevitably become a problem, and it is likely to be worse in government than in other sectors because there is no depth on the bench. 'When these people do step out, there will not be much to fill those positions from.'
For these reasons, and despite the nightmare headlines, Campbell concluded in a recent report that 'adoption of managed security services is expected to increase due to the fact that they provide agencies an affordable and practical way to meet mandatory compliance rules and obtain the necessary expertise.'
If security outsourcing is inevitable, how do you keep from ending up on the front page of the Post next Monday? By carefully managing each phase of the outsourcing process. Out-of-house should not mean out-of-mind.
Those who are performing worst in annual security assessments may stand to gain the most by turning the job over to professionals. The choice of a contactor should be made carefully, closely examining the capabilities and track record of each bidder. But as the Unisys case shows, going with a well-known and established name is not enough. Both parties need to agree on detailed, ironclad specifications in the contract, with performance metrics clearly spelled out. This is not simple because the job of security, after all, is to keep something from happening, and measuring things that do not happen is difficult.
In the end, every agency is responsible for its own security, regardless of the ability of the hired hands it turns the job over to. Those hired hands will have to be closely managed, and that is an in-house job.
Outsourcing security is not an inherently bad idea, but like any idea, its worth depends on its execution.
William Jackson is a Maryland-based freelance writer.