Earlier this year, a journalist from U.K. newspaper The Sun managed to buy the confidential bank details of 1,000 U.K. customers from an outsourced call center based in Bangalore, India. What's more, the seller said he could supply up to 200,000 a month. It is the kind of news that makes some companies think twice about outsourcing anything, let alone security.
But Edwin Hageman, managing director of managed security services at telecoms supplier BT, argues that such stories will not have a significant impact on the growth of security outsourcing. Creating a security infrastructure while maintaining operational flexibility has "never been more important," he said.
"To be effective, that infrastructure needs to be carefully crafted, integrated, and underpinned by rigorous procedures and first-class security staff. Which is why it is often far better to place the design and management of ongoing security provision in the hands of a managed security service provider [MSSP]."
And despite news reports of the kind detailed above, the MSSP market is steadily growing. According to analyst IDC, the worldwide market in 2004 was $12.2 billion, a 15.8-percent increase over 2003. By 2009, the market is expected to reach $29 billion.
So why do companies outsource their security in the first place? Hageman believes that additional security from outside provides capabilities and expertise that are not available within an organization. But Brendan Slater, professional services director at managed security service company Globix, argues that there are no hard-and-fast rules. "The decision to outsource is based on many factors, such as cost savings, productivity gains, lack of any in-house expertise, availability requirements driving the need for round-the-clock operations or compliance requirements."
Industry sectors that outsource other functions tend to be more open to farming out their security. Loren Rudd, ICT research analyst at Frost & Sullivan, notes that manufacturing companies have embraced outsourcing security because many of them have already outsourced parts of the manufacturing process.
Once a company has decided to outsource some or all of its security, the next step is to find a provider.
Some MSSPs offer specific services, such as vulnerability scanning or event monitoring, good examples of which include LURHQ. Others offer managed firewall and VPN, vulnerability protection and intrusion protection monitoring and identity and access management. Many MSSPs also provide services such as security intelligence and threat management, as well as security consultancy.
"Each enterprise should take care to clarify its objective," advised Rudd. "Is it to simply satisfy new legislative requirements? Or is it in order to maximize the network's security?"
By carefully analyzing their objectives, organizations will go a long way towards finding the right MSSP, especially since most providers "position themselves as having either conveniently bundled compliance solutions, or as security specialists offering highly customized services," commented Rudd.
Enterprises looking to outsource their security usually start off with email and messaging security to take advantage of cleaned-up bandwidth free from spam and viruses. MessageLabs and Postini are good examples of companies that provide this kind of service. MessageLabs recently branched out to offer both anti-virus and anti-spyware web filtering.
Having chosen your MSSP, it is vital to spell out the contract terms and how they are to be governed. A service level agreement (SLA) is fundamental to the success of any outsourcing contract.
"Make sure that the SLA provides guaranteed response times, along with credits for missing those times," said Ruby Qurashi, vice-president of MCI NetSec Security Services.
You should also have access to information on how the MSSP is functioning. Client portals offer a snapshot of how the service is running and a window on the security functions the MSSP is looking after – a kind of security dashboard. Rudd argues that "regular provider-reporting, supplemented by client portals, is becoming the industry standard for providing transparency and demonstrating value to subscribers.
"Currently, these appear to be the best methods for evaluating the effectiveness of an MSSP, short of experiencing an unsuccessful network attack."
It is also essential that you measure and document performance. And if the MSSP itself provides an SLA, take a close look before you buy: Is it a standard agreement that comes as part of the deal, or can it be adapted to meet the specific needs of each enterprise?
Simon Halberstam, partner and head of e-commerce law at Sprecher Grier & Halberstam LLP and Weblaw, said companies also need to be careful in negotiating contracts with MSSPs. "If you just accept the suppliers' standard terms and conditions, you might be in difficulty," he warns.
He adds that if the supplier is seriously in the wrong, it "might be possible to argue that it has committed a 'repudiatory breach,' bringing the agreement to an end summarily."
And what will your MSSP do in the event of a disaster? SLAs are a great guide to an MSSP when you are negotiating a contract, but of little use when you are enduring downtime or suffering from impaired performance and all you want to do is get your service up and running again.
"Don't be afraid to ask your vendor about its business continuity plan," said Carl Windsor, chief technical consultant of managed data center services firm TeleCity. "Examine its plans for infrastructure failure, and ask how its equipment is supported and how quickly a replacement will be shipped. Asking these questions early on will save problems further down the line."
The bottom line appears to be that a relationship with an MSSP, like any other close partnership, needs to be worked at. Hageman argues that a relationship with an MSSP is like a marriage.
"For an MSSP to work, it needs to be properly managed: Companies that simply throw the problem at their MSSP and walk away will not achieve the full benefits available and might be putting their systems at risk," he said.