Taking it outside

As the IT-based economy revives after several tough years, IT departments have swallowed plenty of bitter medicine but is increased emphasis on outsourcing security a step too far? Many in the Middle East see outsourcing security as risky and un-necessary, despite signs that it could be become widely accepted practice in Europe and the US. NME investigates how the Middle East will develop its outsourced security story.

  • E-Mail
By  Simon Duddy Published  October 26, 2004

|~|datafort-maha_m.jpg|~|“As an organisation based in the United Arab Emirates, we know the culture, understand the regional mentality and grasp the level of service required. In the western world, they stick too rigidly to the contract, so if something happens outside the contract they will negotiate with you to change it. We implement first and talk about the contract after. This was one of Tejari’s main attractions to eHosting DataFort. They could have continued to host in the USA but they decided to go with us because of the local element.” — Maha Al Amir, marketing manager, eHosting DataFort.|~|Outsourced security has never been an easy sell as the enterprise traditionally jealously guards its data and security processes. However, there are signs that a culture shift could be occurring, with some enterprises recognising that they can focus better on their core business if the security aspect is taken care of by a third party. Findings from the Yankee Group suggest that enterprises will increasingly turn to managed security services providers (MSSPs) for solutions in the coming years. The research firm claims enterprises will outsource almost 90% of their security needs by the end of the decade. Gartner also reports that, by 2005 60% of enterprises will outsource the monitoring of at least one network boundary security technology. This trend towards greater outsourcing of security has been noted in the USA and Europe, and the big question is whether the Middle East will follow suit and embrace this change. Those in the pro camp argue that outsourcing security brings many benefits, not least that it is simply a more effective option. The argument goes that a MSSP’s team of full-time experts, who have dealt with security issues in a wide variety of situations, will perform better than in-house staff who deal with security on a part-time basis. This argument has become more persuasive given the increased pace at which virus writers and hackers are evolving threats. “The need to stop zero-day attacks and stay ahead of the hacker curve will drive enterprises to choose MSSPs with the most experienced security gurus,” says Matthew Kovar, security solutions & services, Yankee group. While the effectiveness of the security solution is critical, the main driver behind outsourcing security is cost. Many enterprises are looking to trim costs, while smaller enterprises struggle to afford a dedicated IT security staff. Taking the security problem outside typically works out much cheaper than shouldering the burden within the company. With staff the most important cost, the shortage of qualified information security personnel both worldwide and the Middle East has increased security expenditure further. “Finding and attracting qualified staff is difficult and puts tremendous pressure on IT departments. The cost of in-house network security specialists can be prohibitive,” says Andy Rattigan, vice president of international business for e-mail security firm Avecho. In a similar vein, outsourcing security can be an opportunity for companies to rationalise their security strategy. In many organisations, security solutions have been put together on an ad-hoc basis with no coherent, enterprise-wide strategy holding them together. Moving security to a capable service provider can help to weed out inefficient processes and simplify management across the business. Processes are key to the issue of outsourcing security. Alongside cost savings, the main benefit is that it allows the enterprise to concentrate on its core business. For example, with security outsourced the IT department can concentrate on tasks such as virtualising the data centre, without having half of the team looking over their shoulders at possible security problems. Nevertheless, the idea of outsourcing security has not had much traction in the Middle East, with local companies typically hostile to the idea of handing over the reins of their security to an outside party. IT outsourcing in general has been slow to grow in the region, so it is little surprise that resistance to security outsourcing is more marked. “The main stumbling block is companies’ reluctance to hand over the management of such a critical task like network security to an external entity,” says Sherif Shaltout, senior information security analyst, ISS. “Companies in the region tend to very highly regard the confidentiality of their information and would be very reluctant to give full control to an external entity regardless of how strict and assuring the outsourcing contract terms are,” he adds. The trust issue is exacerbated by the fact that outsourcing companies are traditionally western, and most Middle East enterprises, while happy to consult with western specialists are reluctant to hand over mission critical systems to them. Linked to the cultural issue, is the thorny question of legal responsibility. Naturally Middle East enterprises are reluctant to put much faith in companies that have their base outside the jurisdiction of the country in which they are located. “We recommend that organisations in the Middle East look to local MSSPs to guarantee that the organisations communications are kept within their own country’s legal jurisdiction and not in locations where the clients have no legal redress or control,” says Rattigan. This trust issue has created a demand for local MSSPs, but there are signs that the market is not yet ready to fulfill that demand. The relatively low level of IT sophistication in the region means a steep learning curve for any company that wants to gain the critical mass necessary to become a viable security outsourcing vendor. “We carried out a survey to assess security outsourcing in the region in October 2003 and we concluded that the market was not mature enough. There was only one vendor (DataFort) that was ready in the region at that time and we didn’t want to risk it,” says Adel Ahmed Al Zarouni, senior vice president of IT, Abu Dhabi Islamic Bank. Since late 2003, however, some positive steps have been taken in the region, most notably when Dubai Internet City announced the Dubai Outsource Zone, which will open in 2005 and provide the infrastructure and environment for outsourcing companies to set up global or regional hubs, while offering tax breaks and support services. “In the initial period, our main market will be from within the region itself. The Middle East has long been sleeping over the possibilities that outsourcing can offer,” says Dr Omar Bin Sulaiman, chief executive officer of DIC. “There is little outsourcing in the Middle East at present. This is because the region is still developing in terms of its economy and technology. But, on the flip side, this represents opportunities — it’s an untapped market,” he adds. Companies have also established in the region to cater to increasing demand for outsourced services. For example, eHosting DataFort provides managed services for companies within the Dubai Technology and Media Free Zone (TECOM). Keenly aware of the cultural issue, eHosting DataFort has leveraged its regional perspective to win business, most notably online marketplace Tejari. “As an organisation based in the United Arab Emirates, we know the culture, understand the regional mentality and grasp the level of service required,” says Maha Al Amir, marketing manager, eHosting DataFort. “In the western world, they stick too rigidly to the contract, so if something happens outside the contract they will negotiate with you to change it. We implement first and talk about the contract after. This was one of Tejari’s main attractions to eHosting DataFort. They could have continued to host in the USA but they decided to go with us because of the local element,” she adds. In a bid to overcome the reluctance of regional players to trust a foreign MSSP, global outsourcing firms are keen to partner with local companies. This promises a potent marriage of local accountability and global clout. An example of this is Symantec and IMT’s partnership in Saudi Arabia, that sees the Saudi company front the operation while drawing on Symantec’s worldwide network of security operations centres (SOCs) to provide early warning against any potential threat to enterprises. “They [IMT] take care of the implementation, configuration, response and remediation and outsource monitoring to us. The customer sees one entity and the solution, being both local and international, delivers value from both perspectives,” says Kevin Isaac, regional director, Middle East & Africa, Symantec. The trust issue is not simply a case of culture, however, and MSSPs can do a lot to build faith by introducing transparency to their processes and fully explaining the nature of their solutions. For example, many MSSPs, despite monitoring the security systems of the enterprise, claim not to not have access to a company’s data. “We do not monitor the data stream, we monitor the devices, just because we are handling security doesn’t mean we know the content of the traffic,” says Isaac. Trust is the main stumbling block in the way of serious outsourcing of security in the Middle East but it is by no means the only one. There is also a perception in the enterprise that specialists are not necessarily more effective than a well-drilled and well-funded in-house team. For one, the in-house team is generally thought to have a better understanding of the processes and needs specific to the enterprise. Resources are another key differentiator in the Middle East, with many enterprises, despite a difficult five years for IT departments globally, still able to allocate large budgets to IT security. With this budget comes a belief that the enterprise is up to the task of meeting whatever challenges lay ahead. Indeed the argument that an enterprise with a well-trained and motivated staff and the latest products, plus thorough understanding of their circumstances, can stay one-step ahead of the hackers, is a convincing one. “We have enough staff, who are well enough qualified, to handle security ourselves,” says Hussein Ali Ghanimah, head of IT operations, Juma Al Majid. “As well as the manpower, we have the technology we need, plus the support from security vendors whose products we use, to do a good job. So we decided not to take the risk of outsourcing to a third party that does not understand our network traffic and situation,” he adds. Countering these arguments, the MSSPs state that companies can mistake familiarity for insight and that only security experts can really understand the issues of security. MSSPs also challenge the assertion that money is the key to enterprises doing a good job of handling their own security. They pull out focus as an important criteria alongside resources and warn that unless an appropriate culture exists, an ineffective security policy could amount to little more than a mammoth waste of money. “Potentially, wealthy companies can handle security themselves but they have to have an IT-centric environment and they need time on their hands,” says Isaac. “Our response time is under ten minutes and it doesn’t matter where on the globe the company is. I know large companies in the Middle East that are looking at log files from the week before,” he explains. The nightmare for any company is that the outsourcing firm they entrust with their security will be negligent and this will create a serious security breach. Measures can be taken, however, to ensure that the outsourcing firm takes its responsibility seriously. Clearly the service level agreement (SLA) should be looked at very carefully and a policy of ‘watching the watchers’ is advised. This is where a third party is hired to test the integrity of the outsourced security solution. At the end of the day, a leap of faith is involved, but by taking MSSP credentials and SLAs into account, a company should be able to make a reasonably solid assessment. Meanwhile, outsourcing vendors are working hard to bridge the credibility gap, for example, ISS offers its managed security service with a money back guarantee, although its services extend only to ISS products. In its purest form, that is, encompassing all security monitoring and management, outsourcing has not had a big impact in the Middle East. But there is a huge grey area between complete outsourcing at one end of the scale and companies simply selling products at the other. This area is growing much faster, with consulting services, which can use skills and experience to raise the security posture, a popular weapon in the IT manager’s armoury. Vendors are increasingly adding services as well as selling products, with the deal between Trend Micro and Bahrain’s Central Informatics Organisation (CIO) a good example. Trend Micro provided its traditional offering — antivirus and content filtering software — but has also brought on-site consultancy and training for CIO staff and government employees. As security demands become more complex, there will be greater onus on security companies to offer more than a point solution. As companies become more accustomed to outside parties helping with security, this trend could lead to a greater acceptance of outsourcing in its most complete form. The prevailing belief in the Middle East is that the enterprise itself is best equipped to take care of security but companies are under assault from outsourcing vendors based both within the region and without. The mentality of the enterprise is unlikely to change swiftly, if at all, but with an effective security policy ever more difficult and costly to achieve, the winds of change could be blowing in the direction of outsourcing.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code