Outsourcing Trends: Vendors Offer Efficiencies to Employers, Opportunities to ProsDown Economy and Increased Business Also Bring Extra Scrutiny to Service Providers
In other words, it's a prime environment for third-party service providers - outsourcers - to flourish. Especially in helping organizations manage risk.
"Risk stemming from vendor, supplier, and partner relationships has always been a complex and costly area of enterprise security, risk and compliance management," says James Christiansen, CEO, Evantix LLC, a provider of eBusiness Risk and Compliance Management Solutions. "However, managing this risk with in-house resources and tools has proven for most companies to be too cost prohibitive and grossly inadequate."
Organizations, then, are increasingly looking to outsource the discovery, assessment and monitoring of this risk in an on-demand arrangement, without investing in or maintaining costly internal resources.
"Since the core value propositions for outsourcing are to be able to provide an IT function better, faster and cheaper than a customer can do it themselves, economic pressures generally provide more upside than downside for service providers in these tough times," says Doug Howard, Chief Strategy Officer, Perimeter eSecurity.
But with great opportunity in these challenging times comes a greater need to prove business value. Service providers all agree that they are increasingly held to the fire to prove their business value to their customers and ensure that operations run smoothly.
"As we look out at the market, there is no question there is a battle of confidence," says Dave Miner, Senior Director of Worldwide Financial Services Industry Solutions, Symantec Corporation. "[But] you still have to have the lights on and run the business. Securing and managing information from each individual endpoint, whether an employee laptop, mobile telephone, or your personal computer at home, is still fundamental to the business."
The Marketplace: What's Hot?
The outsourced services most in demand today range from core security managed services, including firewall monitoring, intrusion detection, intrusion prevention, eMessage security, vulnerability scanning and log review and management services, to audit and compliance configuration and monitoring.
A spokesperson from Accenture says identity and access management, information security, privacy and assurance are among the services most in demand by federal government agencies. Hart Rossman, CTO, Cyber Programs, SAIC, says his company's services include providing lifecycle information assurance solution - "everything from helping develop requirements, design and architecture, software development, integration, implementation to disposition."
Challenging economic conditions usually result in increased regulatory scrutiny within financial institutions and government. As a result, vendor companies are forced to beef up their disciplines, employee skill set and services to serve the current marketplace.
Among the ways vendors are trying to make themselves more attractive to prospective customers:
- Offering flexibility in services and price points;
- Investing in organic growth by training internal pool of resources in required skill sets, including regulatory compliance and risk management issues;
- Providing dedicated client managers and data analyst teams to existing and new clients, thereby enabling custom reporting, trend analysis;
- Expanding in technology to address a wide spectrum of IT applications;
- Providing for cross integration of data, resulting in better IT governance, simplified reporting and reduced IT Audit cycles;
- Offering a host of solutions that can be customized to meet the unique needs of any organization - large or small;
- Demanding more from their employees and pushing them to work hard, increasing work efficiency and stepping up client relations in these tough times.
Looking ahead to the remainder of 2009, service providers foresee these key trends:
- Increased Scrutiny of Vendors: As companies look to cut costs through outsourcing, they will need to ensure that they are managing the additional operational and information risks that come with expanding their vendor ecosystem. "This is especially true as outsourcing often goes multiple layers deep, with vendors outsourcing to other vendors," Symantec's Miner says. "Managing and selecting vendors will become crucial here, often demanding additional scrutiny of current vendor services and IT systems including their data centers behind the scenes."
- Reduction in Security Spend: Many organizations and individual consumers will through necessity cut certain IT expenditures. As a result, the overall integrity of a transaction may become less secure. "If a consumer does not renew his AV, SPAM, etc updates and becomes infected and his credit card or banking information is captured, it often costs the consumer something and also the servicing financial institution takes the hit," says Perimeter eSecurity's Howard.
- Entrance of Low Cost Competitors: "Indian-based IT companies like Wipro and Tata, which were originally in application development and consulting, are now venturing into managed security services, offering solutions at low costs," says Doug Barbin, Director of Product Management at Verisign." "This will change the vendor landscape and intensify competition within the IT vendor community, and vendors will now have to work very closely with their customers to ensure they are justifying their cost/benefit ratio."
- Fewer Innovations: "We will see few new innovations in the marketplace," says Howard. "In addition, many of the innovations that had promise over the past two years will be slow to grow. Mainstay solutions that provide the largest level of security and risk reduction for the expense will continue to dominate the marketplace (i.e. eMessage Security, Web Content Security, Data Loss Prevention, Patch Management, and IPS)."
Tips for Maximizing Your Outsourcing Dollars
To best take advantage of the capabilities and efficiencies offered by your third-party service providers, the vendors themselves offer these tips:
- Know Your Vendor : To ensure outsourcing relationships are successful, organizations must know their vendors and ensure they have done a risk assessment of each provider, understanding fully what they offer and how they can work together. "In addition, they must understand their vendors' security strategies," Miner says. "It is also important to ensure they are a good match for their vendor. Institutions want vendors that understand their business and share their commitment to security and compliance. Vendors must be transparent."
- Outsource to Improve End-User Experience : While outsourcing provides a positive Return On Investment (ROI) and Total Cost of Ownership (TCO) relative to performing most IT services in-house, organizations should also look to optimize a transition from in-house to outsourcing -- not only to reduce cost, but also improve flexibility in technology, improved service delivery and SLAs, meet compliance requirements, and further their focus on core services. "If an outsourcing relationship only proves to reduce cost, while not improving the end-user experience for an organization, it is a lost opportunity" adds Howard.
- Manage Vendor Risk : Organizations are placing more significance in managing the vendor risk, says Christiansen. "Companies need to address if they want to be doing business with a vendor that is cutting costs by not securing their information," he says. "When a security breach occurs at that vendor, the regulators, Board of Directors and organization's customers will be asking 'What did you do to ensure that data was secure?'"
Just because an organization is outsourcing elements of security doesn't mean that security pros are necessarily out of work. Most security vendors and government contractors hire security practitioners for positions such as security/network engineers, system and software professionals, requiring hands-on experience in designing and implementing security policies and infrastructure in a multi-customer ISP Data environment. Also, heavy technical experience in a technical support environment is a must.
Security professionals interested in working with security vendor companies must have the following:
- Experience in a wide spectrum of IT applications and software technologies;
- Familiarity with TCP/IP protocols and services (ARP, DHCP, ICMP, SNMP, etc.);
- Experience with the following: Unix/Linux, Firewalls, Routers, Hubs;
- Exposure to some of the following tools: Snort, Nessus, nmap, ntop, NA/Sniffer Pro, snoop, tcpdump, ethereal and other Open Source tools;
- Ability to support enterprise network security infrastructure, develop enterprise security solutions and ensure system and applications designs are in compliance with mandated security requirements;
- Strong customer relationship and negotiation skills to ensure a credible image is presented to customers and the necessary relationships are fostered at all levels to enhance chances of success;
- Good business acumen with the ability to understanding industry dynamics, the competitive environment and customer business drivers;
- Security and network certifications including- MCSE Certified; CISCO, CISSP, CompTia+ Security;
- Bachelor's degree in related field and 2+ years related experience in a software/systems engineering environment. Advanced degree preferred;
- Excellent written communication skills and ability to handle multiple deadlines.