Many organisations are turning to managed security services
providers (MSSPs) to manage specific areas of security. This may
include firewalls, data hosting, code development, vulnerability
assessment and monitoring.
While outsourcing relieves the burden of managing these systems
in-house, if there is a security breach the burden of
responsibility still lies within your own organisation. It is
therefore vital to investigate and conduct thorough due diligence
of an MSSP before engaging its services.
So how do you go about making the decision to outsource and what
criteria should you use to select your service provider?
First and foremost, what sort of relationship do you already
have with business process outsourcers and IT outsourcers? It pays
to be honest in answering this question, because if your
relationships with outsourcers tend to end in acrimony it’s
unlikely you will fare any better with an MSSP.
Keep in mind that you cannot outsource security per se; you can
only outsource tactical tasks relating to security. Therefore
someone at your organisation should still serve as the security
“owner”, ensuring that business requirements are being met by the
outsourcer efficiently and effectively. It is important to remember
that it is the MSSP's job to secure systems to the extent that you
require. It still remains your job to secure the business. Be
crystal clear on identifying responsibilities which are the MSSP's
and those that remain yours.
If you are considering whether or not to outsource security
monitoring then the organisation needs to understand the specific
business requirements against the willingness to invest resources.
If security monitoring is a critical component to the organisation,
the level of tuning and tailoring needed to meet these requirements
is often best done by building the solution internally.
Data hosting is another frequently outsourced service. Some
hosting services may physically lock your servers in cages and not
give internal staff access to the cage without your knowledge. This
gives you a lot of control over security even though the service
provider is doing most of the work. It’s important to also remember
that you have a right to know who has access to your data and
systems, so don’t be afraid to request background data.
Go armed to the hosting provider with a list of questions to
ensure that security meets your expected standards. They
include:
• What policies and standards do they work to?
• How effective is their physical security and how frequently to
they test controls?
• Does the vendor employ a security manager with an industry
recognised security qualification (e.g. CISSP)?
Don’t be afraid to pry and insist on a tour of the facilities. A
willingness to show you around and openness when answering your
questions should inspire confidence.
The same goes for those vendors writing code for your business.
It’s essential that the SLA states the security requirements of the
final product. Too many times I’ve seen deliverables that function
to specification but are insecure once they go online. If you
already have internally used standards for code development then
make sure that the service provider is aware of their content.
Similar concerns are relevant for services such as e-mail
outsourcing. The provider's provisions for security and procedures
for patch management are all important. It should also be noted
that an organisation does not necessarily have to outsource
management of its e-mail infrastructure to outsource security.
However, security can be increased in the face of e-mail-borne
hazards by outsourcing both e-mail and messaging
infrastructure.
Discretion on the part of the service provider may also be an
issue. Do you want them to advertise that your company is a
customer? You would certainly not want them to be discussing
security breaches with other third parties.
The following list serves as general recommendations when
selecting an MSSP:
• Choose an (MSSP) you trust. Be prepared to use MSSPs you have
not previously worked with that have proven track records with
organisations like yours. Take references and go with personal
recommendations.
• Select an MSSP that understands the needs of its customers and
has the required technical capabilities
• Ensure that the service provider has financial stability. Do
your due diligence!
• Choose an MSSP that can be flexible and willing to cater for
different business needs.
• Make sure employees in your organisation and those at the MSSP
understand the limitations on what you are allowed to outsource
imposed by industry bodies, government agencies and others.
• Appoint one person or team as the contact point for the
MSSP.
• Make it clear what the MSSP is allowed to do without first
consulting you. Major incident alerts must have clearly defined
escalation paths. Be clear about who should be notified when a
critical incident occurs.
• Ensure that all employees are aware of the contract and its
effect on them.
Finally, remember that while using an MSSP relieves the burden
of managing those aspects of security in-house, it does not relieve
the responsibility your organisation has regarding liability if
there is a security breach.
It’s important to acknowledge that reversing the outsourcing
decision can be an expensive exercise as it would probably entail
rebuilding both IT Infrastructure and staff.
By outsourcing security operations to an MSSP, your business can
improve its security posture while avoiding a large investment in
technology and resources. These potential benefits can only be
achieved by selecting the right managed security services
provider.