Issue No. 04 - April (2002 vol. 35)
pp: 20-21, 26
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MC.2002.10026
Bruce Schneier , Counterpane Internet Security, Inc.
Deciding to outsource network security is difficult. The stakes are high, so it?s no wonder that paralysis is a common reaction when contemplating whether to outsource or not:<ul><li>The promised benefits of outsourced security are so attractive. The potential to significantly increase network security without hiring half a dozen people or spending a fortune is impossible to ignore. </li><li>The potential risks of outsourcing are considerable. Stories of managed security companies going out of business, and bad experiences with outsourcing other areas of IT, show that selecting the wrong outsourcer can be a costly mistake.</li></ul><p>If deciding whether to outsource security is difficult, deciding what to outsource and to whom seems impossible. Over the past few years, we?ve seen many different companies offering different capabilities under the general category of "managed security services." The field is so confusing that even the industry analysts can?t agree on how to categorize the services offered. This company manages firewalls. That company offers periodic vulnerability scans. Another offers to manage security policies, or monitor the network, or install the IDS, or host the computers. Some of these businesses make sense, and some of them don?t. Some will survive; some won?t.</p>
B. Schneier, "The Case for Outsourcing Security (Supplement to Computer Magazine)," in Computer, vol. 35, no. , pp. 20-21, 26, 2002.