Getting to Know Managed Security Services

Strategic Sourcing
Written By Nick Vennaro

SourcingFocus.com recently ran a story about outsourcing trends that pointed to “a growing appetite for managed security services” due to the rising complexity and volume of cyber threats. Keeping the enterprise secure is becoming a primary consideration over other business initiatives.

With the increased focus on security, it is important that business and IT leaders understand Managed Security Services (MSS)—what they are, when to use them, and how to maximize the outcomes of a company’s outsourced MSS efforts.

What are Managed Security Services?

Gartner defines managed security services as "the remote monitoring or management of IT security functions delivered via shared services from remote security operations centers, not through personnel on-site.”

MSS broadly includes:

  • Monitored or managed firewalls or intrusion-prevention systems (IPS)
  • Monitored or managed intrusion-detection systems (IDS)
  • Distributed denial-of-service (DDoS) protection
  • Managed secure messaging gateways
  • Managed secure web gateways
  • Security information and event management (SIEM)
  • Managed vulnerability scanning of networks, servers, databases or applications
  • Security vulnerability or threat notification services
  • Log management and analysis
  • Reporting associated with monitored/managed devices and incident response

Firewall/intrusion prevention, intrusion detection, and log collection form the core of most MSS engagements. The Fortinet survey referenced in the SourcingFocus.com piece confirms that, noting over three-quarters of IT leaders in large enterprises say “functions like firewall, IPS and email protection would be suitable to apply to an outsourcing strategy in their organization.”

Why Outsource Managed Security Services?

The primary reasons companies seek a MSS provider are:

  • Improved visibility to threats: An experienced MSS provider has trained specialists with the tools and know-how needed to deal with potential issues/threats and can do so in a timely manner.
  • Advanced security or compliance demands: In some industries, like financial services and healthcare, there are strict compliance requirements and specialized requirements. A MSS provider who has deep knowledge of those industries can quickly and efficiently ensure their client is operating by the book. Also, since cyber security is their area of expertise, these specialists will have access to innovations and leading-edge technologies that can be rapidly deployed.
  • Accelerated Time to Market: A key benefit to outsourcing is fast deployment. The services mentioned above probably do not fit into a company’s core competency, yet they must be done well. Rather than climbing a time-consuming learning curve, hiring a seasoned MSS provider can ensure all the necessary security requirements are met quickly.
  • Reduced Costs: MSS is available at a fraction of the cost (hardware, software, man-power) of adding capabilities in-house.

A recent study calculated that a large investment management firm achieved a return on investment of 109% and cost savings of $3.36 million, with a nearly immediate payback period, by partnering with an MSS provider.

The report concludes that the organization achieved comprehensive, enterprise-level security monitoring at a lower cost than the alternative of implementing and maintaining an in-house, 24x7 security operations center. The firm also achieved a lower risk of loss due to security breaches and were better able to track security performance for audits and reporting, thus building credibility for their security program within the organization and with customers.

Source: “The Total Economic Impact Of Dell SecureWorks’ Managed Security Services,” a commissioned study.

How to Use Managed Security Services:

When considering whether or not to bring an MSS provider on board, it is important to engage an advisor who can assist in the following areas:

  • Conducting an MSS provider assessment to ascertain how ready your business is for outsourcing MSS and to determine which provider best fits your company’s needs, competencies, and culture.
  • Communicating the cost/benefits at the executive level so management understands all relevant aspects of implementing proposed services.
  • Determining and explaining what changes are needed in your environment for successful implementation of an MSS.
  • Deployment, implementation, and integration; which includes provider selection, contracting, and implementation support of the provider offerings.

Also, make sure that your advisor, as well as the candidate service providers, are communicating in a concise, jargon-free manner. Business terms should be clearly spelled out: what am I getting, for how much, and what are the risks?

Selecting a Managed Security Services Provider:

We recommend that companies pick at least two top-tier providers:

  • One for managing the environment
  • One for assessments, testing, reviews etc. for ensuring services deployed are performing as promised.

______________

Keeping to the progressive, outcomes-based, SYNAPTIC thinking we use here at Capto, we highly recommend that the contracts with MSS providers structure incentives and payment schedules based on reviews, penetration tests, etc.

______________

Closing Thoughts:

It is no surprise that keeping sensitive and mission-critical company information secure has moved to the top priority among those managing enterprise IT functions.  By moving swiftly and proactively to outsource MSS that includes both crisp communication and checks and balances, you can better prepare for the threats that are increasingly part of doing business in today’s dynamic, global environment.

Nick Vennaro
Previous

Cyber Security: Leveraging an Audit to Reduce Risks

Next

Broadcast Satellite Television: Large broadcaster and small software supplier change their thinking for a win-win