Quote: sales@farpost.com
24/7 Support: support@farpost.com

Outsourcing Managed Security Services

As computer attack patterns shift and threats to networks change and grow almost daily, it is critical that organizations achieve reliable information security. Investment decisions about information security are best considered in the context of managing business risk. Risks can be accepted, mitigated, avoided, or transferred. Outsourcing selected managed security services (MSS) by forming a partnership with a Managed Security Service Provider (MSSP) is often a good solution for transferring information security responsibility and operations. Although the organization still owns information security risk and business risk, contracting with an MSSP allows it to share risk management and mitigation approaches.

More and more organizations are turning to MSSPs for a range of security services to reduce costs and to access skilled staff whose full-time job is security. Such services may include

  • network boundary protection, including managed services for firewalls, intrusion detection systems (IDSs), and virtual private networks (VPNs)
  • security monitoring (may be included in network boundary protection)
  • incident management, including emergency response and forensic analysis. (This service may be in addition to security monitoring.)
  • vulnerability assessment and penetration testing
  • anti-virus and content filtering services
  • information security risk assessments
  • data archiving and restoration
  • on-site consulting

Managed security services is one of the fastest growing market segments in the security marketplace according to Gartner, a research and IT consulting company. In terms of some reported market trends, Gartner reports that by 2005, 60 percent of enterprises will outsource the monitoring of at least one network boundary security technology [Pescatore 02]. The META Group, also a research and IT consulting company, expects to see maturity first in the managed VPN and firewall arenas. MSS-based vulnerability scanning is forecast to mature next (2003), followed by intrusion detection (2003 - 2004), security monitoring and response (2004), and authentication and administration (2004 - 2005) [King 01]. According to IDC, a division of the research and technology company International Data Group (IDG), by 2004 security services are expected to become a $16.5B industry with a 35 percent compound annual growth rate [Navarro 01].

Organizations need high quality strategic and practical guidance about how to work with these emerging companies to maximize their own information security. This includes well-defined practices to evaluate, select, contract with, manage, and terminate relationships with MSSPs.

The range of services offered by MSSPs varies in their ability to meet an organization's security requirements, including the availability, confidentiality, and integrity of information assets critical to the organization's mission. Therefore, it is vital that an organization specify its security requirements and require candidate MSSPs to demonstrate their ability to meet them, both as part of evaluation and selection and while providing ongoing services.

An organization needs to understand the level of information security risk in outsourcing any managed security service when developing the Request for Proposal (RFP). The costs to procure, operate, and manage provider service delivery, including review for compliance with the Service Level Agreement (SLA) and the overall contract, should not exceed the anticipated benefit.