Pfeil says successful information-security outsourcing depends on CIOs understanding the vendor's expertise. Failing to scrutinize a vendor's specialties is an obvious, yet common, mistake. "Companies have to carefully review the specialty areas and also take the time to investigate the track record of a company they're thinking of going with," he says. Not every MSSP handles every type of security need. Just because a provider has a big name doesn't mean it's the best fit for your company, he cautions.
Once you do hire an outsourcer, it's important to establish service-level agreements (SLAs) that define, for example, the number of incidents per month the MSSP needs to be able to spot and a game plan for dealing with these incidents. One provision Pfeil requires in any SLA is timetables dictating when the MSSP must notify the company of suspicious activity.
"We need to be notified within 10 minutes of this type of event, four hours for that kind of event," Pfeil says. You also need meaningful penalties associated with failure to meet the deadlines, he adds. "If we see you not meeting agreements, I don't pay my bill."
The Way Forward
Our survey shows that despite the recent economic conditions, companies aren't making drastic cutbacks in security. In fact, most of you neither cut nor deferred security expenditures. Looking ahead, 52 percent expect security spending to increase at least 10 percent in the next year; 9 percent plan to increase their spending by more than 30 percent.
Lobel notes that projected spending increases are never a given. Companies may approve a budget but wait until the last minute to free up the money because of continued economic uncertainty. But he expects to see a continuing increase in demand for better security as companies feel the pressure of regulatory compliance just as they offer more services online.
"There is pent-up demand for investments in things like application and mobile security," Lobel says. "When they green-light the actual spending, you'll see things really take off."
When that happens, global IT security will take another step forward.
How We Got the Numbers By Research Manager Carolyn Johnson
The Global Information Security Survey, a worldwide study by CIO, CSO and PricewaterhouseCoopers, was conducted online from February 19 to April 30, 2010. CIO and CSO print and online readers and clients of PricewaterhouseCoopers from around the globe were invited to take the survey. Results are based on responses from 12,847 security and IT professionals from more than 100 countries. The most respondents-37 percent-were from Asia, followed by Europe (30 percent), North America (17 percent), South America (14 percent) and the Middle East and South Africa (2 percent).
Sign up for Computerworld eNewsletters.