Managing the unmanageable

The managed security services sector was born in the final splutters of the dot-com fuelled technology boom. Computer security had grown too complex, too important and too costly for organisations to do it on their own, so why not outsource it to the specialists?

That logic spurred $1 billion worth of investment by venture capitalists, as managed

 
 

60 second interview: John Thompson, CEO of Symantec

Why should companies trust an outside organisation to manage their security?

It’s a decision not lightly made. But with the right supervision, the benefits are substantial. Clients have high expectations on their internal corporate governance and they should expect the same degree of diligence from an outside provider.

What are the advantages of employing a Managed Security Services Provider (MSSP)?

Expertise, cost and intelligence. The managed security market was built by security practitioners who realised that there weren’t any tools good enough to provide real-time analysis across the myriad of security products in clients environment. They also recognised that it’s difficult to hire, train and retain the right expertise in-house.

Is there a danger of an organisation becoming ‘operationally dependent’ on an MSSP?

If your company is connected to the Internet, it is imperative to have real-time 24x7x365 security analysis. Whether a company decides to do it in-house or to outsource, my expectation is that the organisation should become dependent on the function. That’s not a bad thing – it underlines its importance. That said, managed security services should work in a complementary way with a company’s internal IT and security department, to provide additional resources, skills and technology.

What advice do you have that might help organisations to better manage their MSSPs?

Know what you’re buying. Symantec advises any company to select a trusted partner on the basis of its proven track record of delivering quality security services. Visit their operations centres and take a look under the hood. Talk to the people who will be managing your service in the operations phase. Understand the service level agreements that will hold a provider accountable for a reliable and predictable level of service. Once your expectations are clear about what you’re getting, you can develop processes around it that take advantage of the provider’s strengths to make the information the MSSP gives you actionable.

What elements would you recommend should stay in-house?

Managed security services should be used to provide expert security administration, analysis and recommendations. Outsourcing this part of your operation will allow your security staff to refocus on what you’ve hired them to do in the first place – develop and implement your corporate security strategy.

 

 

security start-ups build up their infrastructures and honed their marketing messages.

But within a year, much of that money had been wasted as wild over-optimism turned to realism, and customers held back commitments, wary of the capabilities – and viability – of many service providers.

A lot has changed in three years. The security challenge has become more complex, costly and time consuming, encouraging organisations to seek outside help. And the whole managed security sector has matured and established where it can add most value.

Experience with relatively low-cost and simple to set-up outsourcing services such as antivirus email scanning has encouraged many to look further afield – to firewall monitoring, for example.

Moreover, many IT professionals and analysts feel that the tools have not kept pace. The number of Internet applications being run in a typical organisation have made firewalls less than sufficient for keeping hackers out.

In addition, the intrusion detection devices that once promised to sound the alarm whenever an attack was detected have been derided by analysts such as Gartner due to the number of false alarms they generate – hundreds, maybe thousands, every day.

That is not always the fault of the tools, says Ray Stanton, director of the UK security practice at Unisys: “Too few security professionals, let alone ordinary IT staff, are prepared to put in the time and effort required [to fine-tune products].”

That is one area where managed security services suppliers promise to reduce the pain. They can configure intrusion detection and other devices and export their log files through a one-way opening in the firewall. That data can then be mapped against other ‘events’ that the managed services supplier is aware of at sites across the world – something that no single company can do in-house.

“That’s the huge advantage that external monitoring brings to organisations,” says Richard Archdeacon, head of technical services in Northern Europe for Symantec. “It enables us to identify and monitor patterns so that we can see whether a particular incident is isolated or part of an overall trend.”

However, hiring a managed security services company does not mean that the in-house security team is redundant. Far from it. Creating, enforcing and updating the corporate security policy, for example, will always need to be worked out between the IT or security departments and management to ensure that it is tailored to the organisation’s needs.

In addition, the managed security services provider will always need specialists at the client site to liaise with about security issues. “Leadership responsibility… is something that should never be outsourced,” says Tom Scholtz, an analyst with the Meta Group.

If a new Internet worm is discovered, someone representing the client needs to be on hand to authorise the closure of a port on the firewall that can stop it in its tracks – because closing that port might bring a mission critical application shuddering to a halt as well.

But outsourcing can alleviate the administrative burden on security staff, enabling them to devote more time and energy to dealing with higher level issues.

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics