Security Think Tank: Not all security service providers are created equal

The ever-present workforce shortage in cyber security, coupled with an evolving threat landscape, has led an increasing number of organisations towards Managed security services (MSS). Yet, this isn’t a “throw it over the fence” option.

Using a service provider does not absolve an enterprise from its responsibilities to the data and systems it must protect. Risks must be continually assessed and security controls put in place to address those risks, whether the controls are delivered internally or externally.

Small to medium-sized enterprises (SMEs) use managed security services in large numbers, having been hit very hard by the combination of compliance demands, cyber threat landscape, and workforce shortage. Small, harassed, generalist IT teams are responsible for security with few – if any – dedicated security staff.

As such, SMEs are hungry for security advice and effective support, but don’t often receive this support from service providers.

There is no specific “starting point” for using managed security services. Some organisations may have a security product that is coming to end-of-life and using an external provider is a preferred option. Other organisations might have identified a particular risk and the only way of providing at least some of the required security controls is via a service provider.

Security service providers are not all made equal. Security is not a product and organisations should steer clear of service providers offering one or a combination of products (often antivirus for SMEs).

Instead, focus on those providers with expertise in your particular area – perhaps vertical, and/or company size – that understand your business. Look for providers that deliver integrated managed security services, giving your organisation the option to expand its use of managed services if required.

Invariably, service providers will offer a series of certifications to demonstrate their capabilities around security – when choosing a provider, decide which are applicable to your enterprise and have these as table stakes. Additionally, ensure contractual service level agreements (SLAs) are available so your organisation receives the service it is expecting.

It is also key to have an agreement about who is responsible for what, and when – for example, how frequently will the service provider undertake scanning and patching, how will your organisation be informed, how quickly can a change to a firewall be applied? These are all part of the regular interactions with a managed security services provider.

Regular reporting against SLAs and other metrics on a security scorecard can help customers of security service providers have a level of assurance that requirements are being met. As with any contract, the power lies with the customer before the agreement is signed, so decide what you want up front and stick out for it.