Ask 10 IT professionals if outsourcing security operations to a Managed Security
Services Provider (MSSP) is a good idea and you're likely to get 10 different
answers ranging from "absolutely yes!" to "are you crazy?"
What to outsource and why is a function of a large set of variables ranging
from the nature, size and location of your business to the size, makeup and
skill set of your IT team, current and planned IT initiatives, who and where
your business partners are, what your security budget is
and the list goes
At the end of the day, companies outsource their security because the benefits
of doing so outweigh the risks. And there are benefits -- enough to fuel what
Forrester estimated to be a $3 billion industry in 2008. The three main reasons
companies outsource some or all of their security operations are reduced costs,
24/7 monitoring of critical systems (that would not otherwise be possible),
and access to resources or expertise not found in-house.
With today's bleak economic state forcing massive cost reductions, evaluating
an MSSP is likely to end up on even the most reluctant CISOs to do list. With
that being the case, the question is no longer "Should I trust an MSSP?"
but "What should I trust an MSSP with?" And even more important, "How
will it work?"
While there has been quite a bit of innovation in the MSSP space with offerings
that include limited device monitoring to comprehensive network design and management,
outsourcing doesn't, and shouldn't mean giving up control. An airtight SLA might
give you an external throat to choke and legal protection if something goes
wrong, but if something does go wrong -- if data is lost or systems are compromised
-- the damage is still done. Even if it's the MSSP's fault, it still reflects
poorly on the organization -- not to mention the person who chose the MSSP.
Managed firewall services are one of the most popular (and pervasive) MSSP
offerings. According to Gartner, Inc. in its 2007 MSSP Magic Quadrant, 60 percent
of Fortune 500 enterprises had engaged in some level of use of an MSSP, representing
about 20 percent of enterprise firewalls under remote monitoring or management.
A Nov. 2008 Information Week poll revealed 68 percent of respondents working
with an MSSP them were using them for managed firewall services.