Doors opening for outsourced security

Companies that offer outsourced enterprise security are overcoming preconceptions and winning over some skeptics.

Matt Hines
Matt Hines Staff Writer, CNET News.com
Matt Hines
covers business software, with a particular focus on enterprise applications.
5 min read
Chris Hoff isn't ready to throw caution to the wind, but the CIO is defying the conventional mindset about outsourcing enterprise security.

To keep operations safe at Western Corporate Federal Credit Union--known to some as the "credit union to credit unions"--Hoff has a long list of security issues to consider. And for one important element of WesCorp's defense--testing its IT systems for potential weak points--he signed on with an outside software provider, Qualys.

Hoff said he had to change a few minds in WesCorp conference rooms to get acceptance for his decision to use hosted vulnerability management. Wescorp has been using Qualys' online applications for the last year.


What's new:
Hosted security companies are offering to take over the job of checking the defenses of corporate networks.

Bottom line:
Despite some customers' misgivings about outsourcing security, hosted providers are likely to see their prospects take off, analysts say

More stories on enterprise security

"I don't think that it would be fair or prudent to say, 'The time is right; the applications are here. So you can just outsource all your security operations.' But there are places where (hosted applications) can work as well anything else," he said.

"When we looked at the various delivery models and compared costs at having to maintain and manage everything, including upgrades, the functionality and ease of deployment with hosted made for a very strong case," Hoff said.

The task of keeping up with security patches is one of the most demanding and frustrating jobs assigned to IT departments, which are often caught in a race to fix problems before an attack hits. For a network with more than 500 staff to serve, it can take more than 100 hours of work to do everything needed to fix just one flaw, according to Research and Markets.

With that in mind, companies that promise to take over the job of defending corporate networks against intrusions and vulnerabilities are likely to see their prospects take off, analysts say--especially as regulatory compliance becomes more of a concern.

The flow of threats such as the Sober virus is another ongoing worry. To help, Oracle puts out a monthly bundle of security updates, as does Microsoft, which pioneered the approach. But the various patch programs can be a headache for administrators, as the tussle over automatic installation of Microsoft's Windows XP Service Pack 2 illustrated.

It all adds up to a significant opportunity for companies such as Qualys and its rival, AlertSite, which also sells hosted vulnerability management. IDC analyst Charles Kolodgy said there are a number of reasons why customers, in particular small and medium-size businesses, will increasingly look to hosted security applications.

"There's a great business case with vulnerability management specifically," Kolodgy said. "The ability to install new threat updates easily and to cut time and costs by letting someone else manage all of that is a key. And you have a number of companies looking to improve those sorts of capabilities, in light of growing compliance or privacy concerns."

"There's a great business case with vulnerability management specifically."
--Charles Kolodgy,
IDC analyst

Qualys, which was founded in 1999 and is privately held, grew from $8 million in revenue in 2003 to roughly $16 million in 2004, according to Kolodgy's estimates. The Redwood Shores, Calif.-based company has said it will double that sales total by the end of 2005. By marketing itself as a low-cost, rapidly installed alternative for companies looking to improve their ability to manage vulnerabilities right away, the analyst said, Qualys might easily achieve that figure.

Traditionally, most companies have used packaged software from security specialists such as Symantec and McAfee to tackle such tasks, or have developed their own systems.

Stepping outside
The switch to Qualys' online security hosting has worked out for Hoff, who is an unpaid advisor to the company. The CIO said the scanning tools produce a low number of false-positive results for vulnerabilities and said that its applications have integrated easily with WesCorp's other systems.

Overall, Hoff said that any reservations he may have harbored regarding hosted security have eased the longer he has been a customer--an experience that industry experts said is becoming more common among other companies.

Almost half the business executives that technology researcher Sara Radicati has interviewed said they might consider such online applications. That marks significant

progress in overcoming preconceived notions about the products, said Radicati, who heads her research firm, the Radicati Group.

"We get a mixed set of responses around hosted security. It seems arbitrary, but there are still a lot of negative perceptions out there," the analyst said. "Half of the companies we ask say they would never consider doing it, and some are enthusiastic and couldn't care less that a solution is hosted. But it seems like more companies would be willing to think about it all the time."

Some CIOs have said they are worried that handing over large volumes of critical corporate data to outside providers could open the information up to being stolen, intercepted, corrupted or lost. Recent data breaches at LexisNexis and other companies, though a different kind of information exposure, have underlined the risks.

One of the reasons why executives are warming to hosted security, Radicati said, is the growing success of companies that market other kinds of online applications, such as customer relationship management provider Salesforce.com.

SOX appeal
Regulatory compliance demands, such as the Sarbanes-Oxley Act in the United States, could also help jumpstart the hosted security market, Kolodgy said. Qualys recently launched a service aimed at helping companies meet such requirements, and AlertSite offers hosted compliance tools as well.

Philippe Courtot, Qualys' chairman, said that such compliance needs are perfectly tailored to services such as those sold by his company. That's because the guidelines are pushing smaller businesses, with limited budgets and IT staffs, to put relatively complex security systems into place.

"The beauty of this timing is that these small companies can have the same sort of security performance as a larger enterprise because we devote every bit as much attention to protecting their operations as a large IT division could," Courtot said. "It's the same idea as Salesforce.com taking customers away from Siebel because they have moved faster and cost less. That's what we're trying to bring to hosted security."

Courtot conceded that some companies will always view hosted security as too risky. But he believes that as time passes, the arguments against sending such work out might lose some force if Qualys and its rivals grow.

Hoff said that WesCorp's IT department is fairly forward-thinking, so he didn't have to go to great lengths to get the hosted model adopted. But Hoff said he understands why some companies might still take a cautious approach to the tools. And although WesCorp might consider other outsourced security applications, for operations such as maintaining the company's firewall, Hoff is not ready to give up the keys.

"Outsourcing everything in your security infrastructure in terms of management--we haven't done that and don't plan to," Hoff said. "But in this case, it made good business sense and turning it on quickly was a very big lever for us. When it comes to other security services, we'll see what happens down the road."