Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security To Go: Is It Time To Shop MSSPs?: Page 4 of 4

CHOOSING AN MSSP
Bottom line, this is not an everyday outsourcing decision. Many IT professionals feel strongly that information security is a core function and outsourcing it is abdicating responsibility. Says one poll respondent, "Whether or not security is outsourced, your business is still legally responsible for any consequences that occur. If you have full responsibility, you must also have full control."

This quote reveals a big misperception people have with using an MSSP, and that is that you do in fact lose all control. MSPs with that model failed already. Most offerings today are co-managed and are far from all-or-nothing propositions.

So how do you choose a partner that will take your security as seriously as you do? There's no shortage of fledgling companies entering the MSSP space, many of them rebranding offerings from providers like IBM. But one inescapable fact, discussed at length by many of our respondents, is that your organization's security is only as comprehensive as that of the company to which you're outsourcing it. A provider with high turnover and inexperienced consultants can spell disaster. And when compliance enters the picture, vetting a provider gets even more tricky.

"I assist in performing third-party evaluations for some of our business units," says one poll respondent. "So far, no company has been completely in alignment with our existing policies and standards. If you are in a highly regulated industry, outsourcing does not absolve you from responsibility--as much as management would like to think so."

Outsourcing best practices apply double to MSSP engagements. Thoroughly document your requirements before speaking to potential providers, to aid in setting up SLAs. Have your general counsel draft a contract identifying legal liabilities and ramifications if a breach were to happen.

Once you're in the market, ask about the measures the MSSP takes to control operational and environmental factors, including physical security, access control, and regular audits--both internal and external--of systems and procedures. Investigate the financial health of your MSSP. If a provider meets your SLA and technical requirements but its business road map and financial health are questionable, walk away. Along these same lines, find out the MSSP's main vendor relationships.

Will the MSSP provide security for remote and mobile users? Says one respondent, "If the outsourced security is good within the walls of the office, it has to also be good for mobile users, either those who take notebooks and smartphones outside our office, but also those who log in to our network from home or from the road." Smartphones are difficult to manage, but there are ways to monitor how they are used and to control the damage they could do.

Look for diverse physical locations of security operations centers. Ask about the people who will be working on your equipment. Are background checks required? Evaluate each vendor's account team and problem management processes. When negotiating a service-level agreement, pay close attention to the MSSP's agreed-on time to respond to a request, the timeframe in which the change should be made, and additional fees charged for policy changes. Finally, ask about contract terms and early-termination penalties, if any.

STAY IN CONTROL
Don't let emotion get in the way of making this decision. One in three of our poll respondents admit that they simply have insufficient resources or skills to manage security well in-house, and we were encouraged that only about 1% say they won't consider an MSSP because of a risk of staff backlash.

"Outsourcing may not fit every company, but in my case it's been a blessing. In a very short time we have been able to ramp up our security program to a level we never could have achieved using internal resources," says the VP and chief security officer of a financial services firm with more than $1 billion in revenue. "It does take a dedicated person to closely monitor the vendor relationship and manage vendor-related risk."

That brings us to one last point: Engaging an MSSP is not a "set it and forget it" operation. If you're using an MSSP in a complex and ongoing capacity, internal security needs to manage the vendor as it would internal staff. Require monthly or quarterly meetings to assess the extent of discovered security breaches, analyze reports, and strategize on how to battle back the latest and future security threats.

chart -- The Worry List: What's your primary concern with using managed security services?

Photo illustration by Sek Leung

View the image gallery:
Complete Poll Results: Managed Security Service Provider