The value of managed security services

Managed security services (MSS) are gaining momentum in the security space, where a genuine need for this service is swiftly developing. MSS is particularly popular in the small and medium enterprise market, where companies lack the skills, resources and capacity to manage their security requirements on a 24x7 basis. It is also gaining ground with large corporates, which are more inclined to allocate specific functionality to an MSS provider.

The reason for this escalating demand is that security has become a complicated and costly challenge. The e-business world and the changing nature of cyber-crime have added a degree of vulnerability that didn`t exist a few years ago. In addition, the rapid pace of change in business and computing environments makes it difficult to ensure new changes don`t introduce exposures. MSS should provide a cost-effective and value-enhanced alternative to running the entire operation internally.

Many companies are beginning to realise that re-routing traffic through a managed security provider`s environment can improve the security of their networks by blocking out problems such as viruses, spam, hackers and illicit content. Tighter corporate governance and auditing regulations are forcing firms to store huge volumes of data, which in turn increases their data security challenges. Companies realise they have neither the time nor the expertise to deal with security, and therefore it is easier to go to a specialist third-party.

Remember it is the function that is being outsourced, not the responsibility

Alkesh Patel, principal consultant, security and privacy services, IBM SA.

However, deciding which IT security functions to outsource to a service provider can be a challenge. If a company is struggling to retain staff, developing key security skills and knowledge, then it might be a good idea to talk to a managed security service provider (MSSP). But if a company has well-trained staff, good governance, policies and processes and well managed tools to support security, then an MSSP will have less to offer.

Typically, MSSPs offer a number of services including management of network boundary devices such as firewall and intrusion detection, e-mail management, content filtering, anti-virus management, penetration testing and vulnerability assessment.

The reasons for choosing the MSS route include:

* Making the management of the security infrastructure independent of any organisational changes.
* The opportunity to minimise the requirement for training of internal personnel, as the third-party now provides the skills and knowledge.
* MSSPs have the economy of scale to smooth out any resource fluctuations on individual customers, thereby by providing more efficient service.
* The opportunity to focus on the company`s core business.
* Eliminating the need to establish a 24x7 operation.
* The managed security services route is often more cost-effective than maintaining an in-house security operation.
* The managed security provider is geared for constant expansion and has the ability to provide the service with a short lead-time.
* The wider frame of reference provided by a good MSSP.

However, it`s not as simple as paying a fee, sitting back and enjoying financial savings and improved service levels. Remember it is the function that is being outsourced, not the responsibility. The burden of accountability and liability still lies with the original organisation. Important considerations when choosing a MSSP:

* Ensure risks and exposures are known and that the service provider will close these gaps.
* Does the service provider have multiple security operation centres to provide continuous services in event of a problem in one location? What happens if the service provider`s security is compromised?
* Cost is an important factor but the prime motive should be increasing security and meeting regulatory compliance.
* Make sure company requirements have been expressed clearly and documented so that they can be evaluated by the provider to confirm if they can meet the required level of security. Not every company`s requirements will be the same.

After choosing a service provider, there are still some further important responsibilities. Don`t forget to read the reports provided on vulnerabilities found and threat status, and evaluate the recommendations made. Take action to close the vulnerabilities - whether that is to change a firewall rule, apply a patch or change a standard.

As the business and IT systems change, evaluate whether the service provided is still meeting security requirements, and keep up to date with the changing threat landscape and take appropriate steps to deal with emerging threats. That may require renegotiating service levels or scope of services.