When it comes to outsourcing IT services—particularly commodity services such as data centre operations or workplace management—there is a wealth of experience. As a result, it has become common practice to delegate parts of IT operations to external service providers.
However, many organisations remain hesitant about outsourcing IT security services due to the perceived high risks. But in an era of constantly evolving threats and rapidly changing specialist expertise, is this cautious stance still appropriate?
These questions will be explored in the following discussion.
Outsourcing IT Security Services – Initial Situation
Nowadays, virtually every area of IT can be outsourced: From service desks and data centre hosting to websites, SAP operations, databases and CRM systems—there are established providers for every IT service domain. In the field of IT security, too, a growing number of providers now offer services such as storage backup, Security Information and Event Management (SIEM), and firewall operations. However, firewall management deserves special attention, as firewalls typically represent the primary line of defence against internet-based threats.
Overview of Firewall Services
A firewall analyses network traffic and either blocks or allows data flow based on predefined rules that distinguish between permitted and prohibited traffic. Next-generation firewalls also include features such as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), which help detect and prevent attacks on corporate networks. These systems protect individual computers, servers, and networks from malware, trojans, and unauthorised access.
Depending on the size of the organisation, managing and monitoring firewalls can become highly complex and time-consuming due to the sheer number of rules and the constant emergence of new threats. IT teams must stay up to date with the latest software and technologies to ensure long-term protection in today’s digitally connected world. However, due to the shortage of skilled professionals, finding and retaining such specialists can be challenging. This is where firewall administration by a service provider becomes relevant: the provider takes responsibility for the operation, maintenance, and administration of the firewall solution.
Benefits of Full Outsourcing
When outsourcing IT security services, companies must decide whether to outsource the entire firewall operation or just specific tasks. Some organisations may have particularly sensitive areas (e.g. in healthcare) that cannot be outsourced. If full outsourcing is chosen, it can offer several advantages:
- No administrative burden The provider handles all aspects of firewall administration, including updates, patch management, best-practice configurations, monitoring, and support. This eliminates the need for in-house specialists to constantly update their expertise.
- Easy scalability Firewall services can be scaled up or down quickly depending on traffic volume or administrative needs.
- Flexible IT investment Companies can structure their IT investments flexibly—either through usage-based rental models or by purchasing hardware and outsourcing only the operational services.
- High security A specialised IT security provider serving multiple clients is typically more professional, with a larger pool of experts and an optimised operational model. This ensures the firewall solution remains up to date and can be enhanced with the latest features promptly.
These benefits can only be realised if contracts between the company and the service provider are well-defined. Service agreements must clearly specify the scope and quality of services (via SLAs), and protection mechanisms should be based on a comprehensive risk management strategy. The internal IT security team must be involved in planning, coordination, and negotiations to ensure a shared understanding of security requirements. Even though service providers possess extensive security expertise, adjustments may be necessary to accommodate company-specific needs rather than relying solely on generic standards.
Special Case: Production Environments
The points mentioned above may not be easily applicable in certain areas of some companies—especially in manufacturing environments, which often have unique requirements such as specialised hardware or software. These settings may require customised firewall solutions tailored to specific needs. Legacy systems are common in production, many of which no longer receive security updates. Old control or measurement software may not run on modern operating systems, making these environments particularly vulnerable—not only to operational disruptions but also to intellectual property theft (e.g. patents). Existing security concepts must be reviewed and adapted, as different expertise is needed to design and operate firewalls in such contexts. Firewall requirements may also differ from standard solutions in terms of availability and configuration flexibility.
Specification of Services
To enable service providers to manage firewalls in such environments, the service description must be as precise as possible, since standard solutions often cannot be applied directly. While the provider may have superior technical knowledge, they may not be familiar with the on-site environment. After awarding the contract, the provider’s expertise should be leveraged in a transition project to review the current firewall setup and jointly implement improvements. This allows the provider’s staff to familiarise themselves with the system and adapt to specific requirements.
Firewall adjustments must be implemented quickly and accurately to avoid delays or outages. A ticketing system with an integrated hotline—and ideally a chat function for change requests—should be established to ensure rapid response and resolution times, even during off-hours (e.g. weekends). Clear communication channels must be defined to facilitate swift changes. Any necessary optimisation of service request processes should also be addressed during the transition phase to improve internal workflows, such as approvals and authorisations.
Conclusion: Outsourcing IT Security Services
In summary, outsourcing IT security services—especially firewall operations—requires more careful consideration than other IT services. In production environments, close collaboration between the company and the service provider during the transition phase is essential to ensure effective protection. It must also be guaranteed that operations are not disrupted, such as through production delays or outages. Clear communication structures and responsibilities, along with setup and configuration standards, are therefore indispensable.
