Security considerations when selecting a managed security service provider (MSSP)

Stuart King, global information security manager of Reed Elsevier, outlines the steps you need to take in making sure you get the...

Many organisations are turning to managed security services providers (MSSPs) to manage specific areas of security. This may include firewalls, data hosting, code development, vulnerability assessment and monitoring.

While outsourcing relieves the burden of managing these systems in-house, if there is a security breach the burden of responsibility still lies within your own organisation. It is therefore vital to investigate and conduct thorough due diligence of an MSSP before engaging its services.

So how do you go about making the decision to outsource and what criteria should you use to select your service provider?

First and foremost, what sort of relationship do you already have with business process outsourcers and IT outsourcers? It pays to be honest in answering this question, because if your relationships with outsourcers tend to end in acrimony it’s unlikely you will fare any better with an MSSP.

Keep in mind that you cannot outsource security per se; you can only outsource tactical tasks relating to security. Therefore someone at your organisation should still serve as the security “owner”, ensuring that business requirements are being met by the outsourcer efficiently and effectively. It is important to remember that it is the MSSP's job to secure systems to the extent that you require. It still remains your job to secure the business. Be crystal clear on identifying responsibilities which are the MSSP's and those that remain yours.

If you are considering whether or not to outsource security monitoring then the organisation needs to understand the specific business requirements against the willingness to invest resources. If security monitoring is a critical component to the organisation, the level of tuning and tailoring needed to meet these requirements is often best done by building the solution internally.

Data hosting is another frequently outsourced service. Some hosting services may physically lock your servers in cages and not give internal staff access to the cage without your knowledge. This gives you a lot of control over security even though the service provider is doing most of the work. It’s important to also remember that you have a right to know who has access to your data and systems, so don’t be afraid to request background data.

Go armed to the hosting provider with a list of questions to ensure that security meets your expected standards. They include:

• What policies and standards do they work to?

• How effective is their physical security and how frequently to they test controls?

• Does the vendor employ a security manager with an industry recognised security qualification (e.g. CISSP)?

Don’t be afraid to pry and insist on a tour of the facilities. A willingness to show you around and openness when answering your questions should inspire confidence.

The same goes for those vendors writing code for your business. It’s essential that the SLA states the security requirements of the final product. Too many times I’ve seen deliverables that function to specification but are insecure once they go online. If you already have internally used standards for code development then make sure that the service provider is aware of their content.

Similar concerns are relevant for services such as e-mail outsourcing. The provider's provisions for security and procedures for patch management are all important. It should also be noted that an organisation does not necessarily have to outsource management of its e-mail infrastructure to outsource security. However, security can be increased in the face of e-mail-borne hazards by outsourcing both e-mail and messaging infrastructure.

Discretion on the part of the service provider may also be an issue. Do you want them to advertise that your company is a customer? You would certainly not want them to be discussing security breaches with other third parties.

The following list serves as general recommendations when selecting an MSSP:

• Choose an (MSSP) you trust. Be prepared to use MSSPs you have not previously worked with that have proven track records with organisations like yours. Take references and go with personal recommendations.

• Select an MSSP that understands the needs of its customers and has the required technical capabilities

• Ensure that the service provider has financial stability. Do your due diligence!

• Choose an MSSP that can be flexible and willing to cater for different business needs.

• Make sure employees in your organisation and those at the MSSP understand the limitations on what you are allowed to outsource imposed by industry bodies, government agencies and others.

• Appoint one person or team as the contact point for the MSSP.

• Make it clear what the MSSP is allowed to do without first consulting you. Major incident alerts must have clearly defined escalation paths. Be clear about who should be notified when a critical incident occurs.

• Ensure that all employees are aware of the contract and its effect on them.

Finally, remember that while using an MSSP relieves the burden of managing those aspects of security in-house, it does not relieve the responsibility your organisation has regarding liability if there is a security breach.

It’s important to acknowledge that reversing the outsourcing decision can be an expensive exercise as it would probably entail rebuilding both IT Infrastructure and staff.

By outsourcing security operations to an MSSP, your business can improve its security posture while avoiding a large investment in technology and resources. These potential benefits can only be achieved by selecting the right managed security services provider.


Read more on IT outsourcing