There is a growing trend in businesses to outsource their IT Security to Managed Security Service Providers (MSSP). I’ll be upfront and state that I was not a big fan of this, as I believed that IT security is too important to pass off to a 3rd party, especially with the financial institutions who I mainly work with. But there is a growing body of research that finds that there are some areas where it may be worthwhile considering outsourcing.
What does an MSSP do?
MSSPs provide a variety of services, such as:
- Security monitoring – monitoring of firewalls, intrusion detection/prevention systems (IDS/IPS), system logs, etc.
- Managed Spam Services – scanning of email for Spam and malicious content
- Managed Storage Services – services such as backup/restore, archiving for compliance purposes, or disaster recovery services.
- Threat Intelligent – aggregate warning system based on feedback from multiple end-users.
- Compliance auditing – auditing for compliance with government or other regulations
- Vulnerability assessments and Penetration testing – scanning and testing of systems for vulnerabilities
- Managed Network Services – monitoring of networks for performance and outage issues
- Identity and Access Management – services allowing authentication across heterogeneous systems, while maintaining compliance requirements
MSSPs are growing, and Gartner believes that the Managed Security Services (MSS) market will be worth US$2.1b in 2013, and projected to reach US$3.1b in 2013.
My concerns on IT Security Outsourcing
Firstly, let me mention my concerns about outsourcing the IT security function.
- Accidental/Intentional leaking or theft of secret information by agents of the MSSP. This is my greatest concern, although it probably has the lowest chances of happening. Contrary to popular belief, few security professionals or agencies are willing to risk their reputations to steal or leak data, but it can happen (think of Edward Snowden). A MSSP may have access to a lot of systems and data, and does pose a risk. Capturing this risk can be difficult, as you can monitor for unauthorised access, but how do you monitor for access to data that the MSSP has to access to perform their duty?
- The MSSP goes out of business. Don’t think that this can’t happen, because it has happened before, and it will happen again. What happens when your MSSP goes dark, do you have a contingency? Without the experience in-house, and the time it would take to find another MSSP, you will be placed in a very risky situation.
- The MSSP fails to perform as expected. So you have a breach, and customer data is purloined, while your MSSP was supposed to be monitoring for intrusions. Who is held responsible? You can outsource your activities, but you can’t outsource your responsibilities; you are ultimately accountable for securing your systems.
Are there advantages?
There are several advantages of MSSP.
- Lower cost. This is often the main advantage cited by enterprises for going with an MSSP, but, I warn you, should not be the only reason for outsourcing. Because of economies of scale, a MSSP can charge a fraction of what it would take to outfit your organisation – hardware, software and people – to provide the services provided by the MSSP.
- Greater expertise. Because a MSSP may be specialised, they are more likely to have a higher calibre of security professional within their team. Additionally, because they are exposed to the systems of other organisations, they can develop best practices that they could then use for your organisation.
- Greater intelligence. Again, the MSSP has data coming in from several organisations, and are in a position to capture events before they strike your enterprise. They could even develop new ways of analysing data to improve detection of threats.
- Greater scalability. The service of an MSSP can be scaled up or down with little effort of the organisation.
Can you have your cake and eat it too?
Now, you have to admit, those are pretty good advantages. So how can you get those advantages while addressing the risks?
Firstly, build your own capabilities. To discover possible leaks or attempts mean that you must have the skills necessary in-house to do that. This team does not have to be big – 1 or 2 persons – as the bulk of the operational work will be performed by the MSSP. The in-house team will be responsible for managing the IT security systems, and ensuring that the MSSP is on the up and up.
Secondly, keep your IT security management in-house. Outsource the monitoring and testing activities such as monitoring of system logs and IDS/IPS systems, and vulnerability and penetration testing, but keep the management and configuration of systems being monitored or testing with your in-house staff.
Thirdly, build a relationship with the MSSP and audit them regularly, to ensure that they have the proper policies in place and that they are following them. Also, check their audited financials to look out for red flags pointing to a failing business model.
Lastly, build your service level agreements and payment contracts based on performance. That is, that your MSSP must perform to a certain standard to get remunerated for their services. These standards must be SMART – Specific, Measurable, Attainable, Realistic and Time-Related – and reasonable. Remember, that when negotiating with an MSSP, that this is a partnership, not a battle; always aim for win-win.
At first I was extremely wary of outsourcing IT security functions. I still take the position that if an organisation is able to, then it is preferable to have an in-house IT security team for all aspects of IT security. But the more that I look at the services that MSSPs provide, and the benefits that enterprises can obtain, there is a strong case for outsourcing some aspects that an organisation is unable to undertake.