As managed security moves into the IT mainstream, deciding which functions to divest your IT or security staff of can be a challenging decision.
Make the right one and you can save money, becoming more secure all the while freeing up your staff for more productive activities.
Make the wrong decision — whether it be a vendor that doesn’t live up to promises or inadvertently shares your information with a competitor — and you could end up in hot water or worse.
To figure all this out, as with all outsourcing decisions, you have to weight the pros and cons.
If you are short-staffed (especially on the security side) and have just expanded the company through acquisition, for example, now might be a good time to interview managed security service providers (MSSP) to see how their services (anything from simple firewall protection all the way through security audits to emergency response and incident handling) could ease you workload and shore up your defenses.
If, however, you already have a security staff and good governance, policies and procedures in place, then an MSSP may have less to offer.
It really depends on so many factors that no one article can cover all the bases, but, according to the experts, there are some basics to think about before signing away control over any aspect of your security infrastructure.
Pros
On the plus side, MSSPs generally have a better understanding of the threat landscape and the tools to deal with those threats than most in-house security teams, said Marty Lindner, team lead for Incident Handling at CERT/CC. And this can be a great comfort when you put your head down at night.
Also, since most in-house staff spend a great deal of time patching and handling incidents, they have very little time left over for staying up-to-date and training.
A good MSSP should be able to provide services while, at the same time, staying current with the latest practices, gear, software, threats, etc. It also should be able and willing to impart this knowledge to you, their customer.
“If I was doing an outsourced solution, I would look upon that company to give me guidance, recommend suggestions on prevention mechanisms, policies, procedures, better ways of architecting my infrastructure so I’m better defending myself, node security, application security,” etc., said Lindner.
Also on the plus side is you will probably will be able to save money on the more common/commoditized security tools such as anti-virus/anti-spam, firewalls, intrusion detection, etc. and its associated hardware.
In fact, up to 60% of companies today are using some form of managed firewall, according to analyst firm the Yankee Group.
“The pros of outsourcing? You are basically just simplifying your life,” said Andrew Jaquith, senior analyst with Yankee’s Security Solutions and Services Practice. “You’re outsourcing some of the simpler security functions and it’s a cost saving; you’re leveraging economies of scale on the part of the providers.”
Also, an outside provider doing, say a security audit prior to starting their services, will be more rigorous and honest, said Rick LeVine, senior manager of Accenture’s North American Securities Practice, since they will not feel any of the internal pressure from management to do one thing over another. An MSSP is usually all about security, not politics.
Cons
One of the negatives that has to be considered if you work for a public company is regulatory compliance. Outsourcing your security means you’ve opened up potentially sensitive information to an outsider, continued LeVine.
“Having a third party or managed service manage your infrastructure means they will have your event logs, which means they will have access to your antivirus stats so they will know when you are under attack,” he said. “If you are public company there may be a concern that that’s insider information because it may affect your stock price if it comes out.”
Using an MSSP also means that you now have at least doubled the potential for someone within the firm’s walls to be the culprit of a security breech, said LeVine. And, as most security professionals will tell you, the threat from within to sensitive information and systems is greater than the threat from without.
Which brings up the topic of risk. What level of risk — be it regulatory, public/customer perception, hacker attack, insider hack, etc. — are you prepared to share with a provider?
This is not a new question. Companies evaluate risk every time they contract with an outside provider for any service, be it janitorial or IT, said CERT’s Lindner. But when outsourcing security, your level of risk has to carefully weighted against the potential benefits even a simple service like a manage firewall brings to the organization.
What if your provider’s security is compromised, for example, asked Lindner. Does that mean your data has left the building, or does your MSSP scrub all its logs to ensure data anonymity? A good question to ask these days in light of Sarbanes-Oxley.
Or “… if you go to an outsourcing solution that is using a generic solution across the board without customizing it to your company’s specific needs, then that’s a detriment,” said Lindner. “That’s a risk you have to decide if you want to take on.”
However, the decision to utilize their services is a combination of careful internal evaluation to determine your needs and capabilities, and due diligence to make sure your provider will be able to shore up your shortcomings. Take away one of these efforts and the MSSP security stool will fall over or be wobbly at best.