Business is getting riskier. Digital attacks on businesses, such as the Slammer worm earlier this year, are unleashing their destruction at ever-increasing speeds. Hackers are constantly poking and prodding, trying to breach the security defenses of American companies. There's also the growing stack of federal and state legislation requiring businesses to prove they're being diligent at securing their data.
David Bauer, chief information security and privacy officer for Merrill Lynch & Co. wants to increase his company's ability to focus on these risks. He says he can better achieve that goal for the $2.83 billion brokerage firm by outsourcing a good chunk of the company's network security to VeriSign Inc., a relative newcomer to the growing managed security services provider market.
Terms of the global, multiyear contract were not disclosed, but InformationWeek has learned VeriSign will manage more than 300 of Merrill Lynch's firewall and intrusion-detection network security devices.
"It's all about being the best that you possibly can be," Bauer says. "On the intrusion-detection piece, we have a lot of network activities, as a lot of companies do, but now we're going to get analysis of all our activity in context with what else is going on in the world. It's not just about data, it's about intelligence. And with intelligence, you can make better decisions."
That intelligence, Bauer says, comes from VeriSign's ability, acquired by managing network security devices for hundreds of companies, to see attacks occurring elsewhere on the Internet and within its customers' networks. Bauer says Merrill will benefit from VeriSign's ability to see things his security team can't, and that will help them better decide where to focus their security resources. "Is it a random attack, or is it targeted? Is it a sophisticated attack or not a sophisticated attack? Well, now we can get answers to those questions," Bauer says.
Bauer isn't the only security officer looking for answers. Analyst firm Gartner estimates that managed security services will be the fastest-growing service type across all vertical markets, growing annually at 19.3% from $547.8 million in 2002 to $1.2 billion in 2006.
"We're definitely seeing increasing outsourcing of 'commoditized' security functions, such as policy changes on firewalls, reviewing firewall and IDS logs, and all the other repetitive tasks involved in perimeter security," Gartner analyst John Pescatore says. "By outsourcing the grunt work, their existing security folks can respond to the new issues, like securing the ERP system connection to suppliers or what to do about wireless LANs or Web services.
VeriSign CEO Stratton Sclavos says regulations such as the Health Information Portability and Accountability Act, Sarbanes-Oxley, and the USA Patriot Act are helping to drive demand for managed security services. Managed security "allows companies to focus on the process optimization required to reduce the overall risks to their organizations," he says.
Bauer agrees. "It lets us worry about the evaluation of the data as opposed to the monitoring of the data," he says. "I'm a big fan of this risk managed approach. Now we can take the data and do risk analysis against it, and act on it--as opposed to having to do the day-to-day stuff."