Nor did they foresee a significant return on investment for developing and implementing their own security strategy - particularly due to the complexity and cost. Even with a steady rise in the economic loss of intellectual property, executives still find themselves asking, "How does this really affect my company?"
As businesses continue to adopt the Internet as a significant communications tool for managing customers, supply chains and electronic transactions, senior executives have finally started to understand why cyber security is integral to their business. The corporate community has accepted that much more is at stake than simply safeguarding intellectual property. Today's highly-sophisticated hackers and the emergence of multiple worm variants, downloadable hacking tools, liability concerns and the constant threat of denial-of-service (DoS) attacks have made it clear that network infrastructure security is essential to enterprise survival.
While security has finally received the attention it rightly deserves, IT managers are often at a loss to know where to begin. As cyber threats have grown increasingly more sophisticated, so have the products and services designed to combat these vulnerabilities. Limiting the line of defense to routine measures like firewall and anti-virus software often results in a false sense of security, which can easily cost companies millions of dollars in damages and clean-up from attacks. From vulnerability assessment to authentication, there are many elements of security that must be considered to ensure no weaknesses remain in a company's infrastructure.
Given the proliferation of the market, companies are also faced with the question of which vendors to turn to or whether to outsource their needs to a boutique security shop, security consultant, managed security service provider (MSSP) or a single-source carrier provider. This can be a daunting task, with hundreds of information security product vendors and providers on the global market. Enterprises can be easily, and understandably, overwhelmed by these decisions.
There are many criteria to evaluate: experience, breadth and depth of offerings, good service reputation, ability to provide a complete solution that secures the entire infrastructure, network reach and global reach, and know-how and resources to deliver best-of-breed solutions to ensure the strongest security.
Juggling a Myriad of Niche Products
In the wake of numerous cyberattacks, the market has seen an emergence of many pure-play security companies. Implementing a solution from an assortment of pure-play companies can often prove challenging. For starters, there is no single security product or service that can combat all potential security threats. For example, many security providers focus on a specific type of security protection which often does not adequately address the big-picture security puzzle. Add to this, the issue of interoperability and companies are looking at a very formidable task. It's critical that enterprises look at security as a framework-not a hodgepodge of security products. A business can spend hundreds of thousands of dollars securing their network, but if just one hole is left exposed, a hacker may find it. That's why many enterprises look to a full-service provider that can manage and monitor what they build.
More times than not, narrowly-focused security firms don't have the geographic reach or the know-how to support a global deployment, especially in regions such as Asia Pacific, the Middle East and Africa. For example, if an enterprise opens an office in Japan, there are many factors to assess, including the regulations imposed by the government and how this branch office will affect the security of the corporate network. It is imperative that holes opened during the launch of the site and the subsequent deployment of security solutions are quickly remedied. Global carriers already have experience and reach in these global markets and usually have the local staff support and network to better understand how these new sites will interact with the rest of a company's infrastructure.
Seeking Outside Advice to Identify Needs
With recent virus outbreaks wreaking considerable and well-publicized havoc on businesses, security concerns have now reached the boardroom. This is resulting in increased pressured on IT staff to ensure security of data and to mitigate future costs associated with security threats. However, handling security in-house is challenging for many companies often due to the lack of resources and expertise of their in-house staff - many of whom are not trained in the ever-changing world of security.
To ease the burden, some companies may hire a consultant to assess what security products they need to meet individual business objectives. Consultants can help businesses develop a security policy addressing a multitude of issues. Does an office with over 1,000 employees need a public key infrastructure solution? Do companies require both intrusion detection software and vulnerability assessment services to dodge the latest worms?
While hiring an outside consultant can help with interoperability issues and the development of a customized security strategy, the benefits are often short term. The reality is that many consultants do not have the specialized experience in security challenges/solutions as they may consult on a broad range of topics. Since many consultants do not implement the solutions they recommend, it leaves the client company to manage its security plan day in and day out - often an overwhelming task.
Avoiding the Headache of Multiple Vendors
Even as cyberthreats multiply, economic conditions are forcing companies to cut back on IT staff, leaving little support to manage their security implementations. Today IT managers are under close observation from CEOs concerned with liability issues. With increased pressure on IT staff and the dynamic nature of security protection, businesses of all sizes have found relief in outsourcing the management of their security solutions to a variety of provider types.
When working with multiple vendors, companies must coordinate between providers and troubleshoot accordingly, often making it difficult to come to a quick and an effective resolution of security threats. Companies must also assess the financial stability of smaller firms, which are often dependent on venture funding. Given the current economic conditions, several notorious failures have taken place in the past year. Companies such as Saliannas Group, Pilot Network Services, OneSecure and Fiderus, are just a few that closed their doors both in the United States and globally.
For the delivery of a complete solution, some enterprises look to MSSPs and major carriers. These firms usually offer a one-stop shop for outsourcing security, dramatically reducing the time, complexity and inherent worry of managing a company's defense in-house while enhancing their business continuity efforts. Additionally, carriers are not dependent on venture funding and have the infrastructure, credibility, experience and cash flow to quickly establish relationships with industry leaders to offer best-of-breed technologies to customers.
One of the biggest reasons to work with a carrier in implementing a security strategy is that major carriers can provide complete solutions that address and secure every facet of a company's infrastructure, including its Internet access, hosting, remote access and IP VPN capabilities. Through multiple layers of defense from the network to the server to the desktop, carriers can deliver the strongest security solutions. Working with a carrier also provides one point of contact or "one throat to choke" for the quickest, most effective resolution.
Choosing a Carrier for Managed Security
For years, the leaders in the carrier community have maintained direct visibility into corporate networks 24 hours a day, 365 days a year. This visibility puts them in the best position to evaluate and protect a company's infrastructure. From applications in the hosted environment to wireless local area networks (WLANs), companies are finding major carriers are the best choice to provide the strongest security and deliver a comprehensive, solutions-based, multi-layered approach to security.
With a full array of threat protection solutions, carriers are able to provide objective recommendations and an unparalleled defense system. Already securely managing a customer's infrastructure, carriers can seamlessly integrate and manage security elements that encompass all of their applications. This enables businesses to leverage the benefits of simplicity, speed and efficiency that integrated managed services provide, from designing a security plan to the configuration and installation of the solution to backup and restoration services.
To enhance their security offerings, some carriers utilize the talent and products of other security vendors. It is important to evaluate a carrier's partners to ensure that they are working with leaders of the security industry. Some carriers have tried to primarily grow security offerings organically. This has been largely unsuccessful for such providers, as this is not a core competency for the industry. It is imperative that a carrier recognizes its core competencies and partners with industry leaders to offer these services. In the complex world of security, the leaders of the industry are the first to develop and implement solutions to confront the latest threats. It is essential that an environment is created to immediately address all potential weaknesses.
A single-source provider that has a wholly-owned IP network with a wide-ranging global footprint has a distinct advantage for an enterprise. With a constant view of operations, a carrier is able to quickly identify and rectify security risks around the globe. In addition, by having complete control over the network, carriers are able to quickly implement security measures at any location at any given time. Using a global carrier that understands different countries' regulatory practices allows them to minimize the lag time and red tape associated with implementation.
Working with carriers offers an economic benefit - carriers' buying clout and reduced total cost of ownership (TCO). In addition to the benefits of having the leading security products, major carriers are able to provide more value to customers. By leveraging a carrier's network and specially trained security staff, enterprises are able to reduce TCO associated with deploying and managing security solutions.
To truly remain free of vulnerabilities, security must be deployed as a complete solution or framework - not a mish-mash of security products. The carrier community is emerging to meet the enterprise demand for security solutions that meet company needs for the strongest and most efficient way to ensure the integrity of a company's most precious asset - its intellectual capital.
Robert Blakley serves as senior manager of WorldCom's Security Services team (www.worldcom.com). He is responsible for the strategy, direction and management of WorldCom's enterprise and SME security solutions.