It's us versus them: overburdened IT groups against smart, malicious opponents who are constantly probing for weak spots. As the red-hot klieg lights of the media and government regulators focus on infosec groups, struggling to thwart everyone from disgruntled employees to professional identity thieves, we're all feeling the heat. Our fictional widget maker is no exception. Is it time for NWC Inc. to call in a specialist?
While MSSPs (managed security service providers) have been around for years, this is not a run-of-the-mill outsourcing decision. Many IT professionals feel strongly that information security is a core business function, and outsourcing it would be equivalent to handing over the keys to the kingdom.
We agree, to a point. For organizations with specialized security needs or policies, an in-house team is the way to go. However, far too many organizations have yet to make information security a core competency, or have thrown in the towel and decided that security will never be a fundamental proficiency. But as attackers become more sophisticated, so must the tools we wield to stop them.
Managed security services will be the fastest-growing segment of the managed services arena, expanding at a compound annual growth rate of nearly 20 percent over the next few years, according to Gartner. MSSPs are benefiting from the shrinking window between weakness discovery and exploit, complex new technologies like NAC (network admission control), and the ever-expanding network perimeter that now includes business partners and telecommuters. At the same time, CTOs are under increased pressure to reduce costs, improve services and meet governmental regulations--all without sacrificing quality of service and ensuring business continuity. It's a recipe for MSSP growth.
In NWC Inc.'s case, our complex Web business model and the high volume of our e-commerce initiatives are business drivers. We built an RFI seeking a partner to monitor and manage our information security infrastructure and sent it to 24 MSSPs. BT Global Services, Cybertrust, Internet Security Systems, LURHQ and SecureWorks accepted. VeriSign Managed Security Services initially accepted and did an outstanding job completing its RFI, but backed out because of the risk of exposing too much confidential data by publishing its RFI responses online (a requirement to participate). Equant also initially accepted but could not complete our RFI in time due to its rebranding to Orange Business Services. MCI, which has partnered with Verizon Business, declined. Accenture, AT&T Networking Outsourcing Services, Capgemini, Computer Sciences Corp. (CSC), Connetic, EDS, Getronics, IBM Global Services, Perimeter Internetworking, Science Applications International Corp (SAIC), Solutionary, Sprint, Symantec, TruSecure, Unisys and VigilantMinds didn't respond to our invitation.