Is that really the future of security?

by Anton Chuvakin

Related link: http://informationweek.com/shared/printableArticle.jhtml?articleID=29116929



Is all security destined to be outsourced? Is that really the future? Analyst firms adore big loud statements and this one qualifies: "All Big Companies Will Outsource Security By 2010".


The justification is a classic "security isn't a core competency" for most companies, thus they need to outsource.


There are also some minor bits that will get folks worried, such as this one: "application code review ... simply can't be done cost effectively in North America."


1 Comments

Derek Vadala
2004-08-31 07:26:00
All or nothing? What about outsourcing things that make sense...
Keizer ignores an important point: will companies really be willing to give a third-party this kind of access and control over their networks? What effect could that have on regulatory compliance?


I also question what he thinks will be outsourced. Managed firewalls seem like a weak candidate to me-- they're commodity, easier to manage every day, and when they are managed internally you don't have to comply with someone else's arbitrary maintenance schedules.


The "trend toward pushing out the network perimeter to include partners and remote workers" seems like a weak argument too. Deploying client-side security agents to a few thousand users and outsourcing support seems like a recipe for disaster to me. The problem here isn't that big companies can't handle the problem, it's that there isn't a good solution, yet.


It's pretty obvious why anti-spam have succeeded here: a) most commercial, self-managed solutions are quite poor; b) the good commercial solutions are extremely expensive and are just repackaged open source products; and c) the best solutions are typically open source, and big companies remiss when spending money to develop solutions like this in-house.


I don't think out-sourced anti-spam will last foreever. There are significant trust issues with routing company mail through third-parties, even if it's just external mail.


But, IDS processing, log collection, and event correlation are great candidates for outsourcing. It's easy to miss something important, especially when you don't have a NOC or a well-trained, 24x7 staff.


Why wait ten years to outsource the stuff that makes sense?