Guns for hire: Choosing a MSSP for your business
6 min read
26 September 2013
If you’re thinking of outsourcing IT security, here are the key issues you should consider when looking to hire a service provider.
When it comes to IT security, it’s hard for most companies not to feel outgunned by attackers. Over the past ten years, spending by businesses on security has not changed dramatically – it’s usually between five and ten per cent of an organisation’s overall IT budget. But for many, this investment isn’t keeping pace with the growing volume and severity of threats from cyber-criminals
In its 2013 security survey, the UK Government found that small businesses are facing a greater threat of their networks being breached through cyberattacks than ever before. Astonishingly, 87 per cent of businesses with up to 250 employees, across all industry sectors, were breached during 2012, up from 76 per cent in 2011. Furthermore, the average cost of these breaches was between £35,000 and £65,000, mostly in remedial measures to fix the damage caused.
So, it’s no surprise that security as a service (SECaaS) is so enticing to businesses: offering a way to access security expertise and in-depth security knowledge to enhance protection for your networks and data, without the overhead of purchasing additional, upgraded security solutions or hiring experts. These services hold the promise that the managed security service provider (MSSP) will handle the awkward, costly parts of security, giving you levels of protection and defences that are usually the preserve of the largest enterprises.
However, handing responsibility for protecting an organisation to a third party can still seem like a leap of faith. What does the company need the service provider to do? What qualities should they look for in a managed security service provider? How should they go about choosing a trustworthy partner?
Here’s a guide to help in answering these critical questions.
Decisions on defence
The first step is to choose which elements of network security you want to outsource. Perimeter security is commonly handled by MSSPs, simply because managing and updating firewalls can be time consuming, and also because modern firewalls can be provisioned with additional advanced security features to protect against intrusion, hacking and a range of new threats.
This enables companies with older firewalls and security equipment to avoid capital costs for upgrading or replacing existing solutions. It also allows them to enhance and consolidate overall protection with additional integrated security functions, such as application control (enabling companies to manage which Web and social media apps their employees can access), user identity awareness, anti-virus, anti-spam, intrusion detection and prevention, web content filtering and managed remote access. This saves companies further costs, as they do not need to invest in purchasing or managing solutions to provide these additional functions.
At your service
To help you choose the protections you need, a good MSSP should advise you on how relevant these services are to your organisation’s set-up, and help in tailoring a package that fits your needs, with scope for future expansion if necessary. Then you can evaluate the service-level agreement (SLA) that the MSSP is offering.
This should clearly spell out the terms of the relationship, including what specific services are covered, the processes for security handling breaches, incident response times, and so on. The SLA should also cover points such as security management and product update tasks, security rule changes and clearly state time frames for these. As it’s the contract between your company and the MSSP, the SLA should also cover access to information – allaying fears around sensitive company data being available to a third party.
The SLA should summarise these points, and state a clear monthly service fee for your intended SECaaS usage. Remember also to ask about the cost implications if you need to expand or shrink your use of the service, or add new services.
Before committing to an MSSP, it’s worth checking into their reputation and financial stability, for obvious reasons. Ask which customers they manage in your industry sector. Can they provide references for you? Can they provide evidence of their financial position and resources, to ensure they can continue delivering services to their clients?
Also, with headlines continuing over the NSA’s PRISM surveillance project, which has allowed large-scale access to organisations’ data traffic and activity without their knowledge or permission using possible backdoors in networking equipment such as security gateways and firewalls, ask the MSSP which vendors’ equipment they use. With so many established vendors implicated in PRISM, it’s worth evaluating alternative equipment providers that have not been tainted by this loss of trust.
Trust – but verify
Finally, when an agreement is in place, it’s worth checking the MSSP’s services from time to time. Ask them for reports on updates deployed, on spam stopped, or on attacks prevented. A good partner should provide integral reporting as part of its service. You should also arrange regular review meetings. In the final analysis, irrespective of which services you outsource to an MSSP, make sure that you build a relationship that’s based on trust.
David Sandin is product and solutions manager at Clavister AB.