Introduction
It's the middle of the night. A shadowed figure crouches by the window. He retrieves a menacing instrument and begins fiddling with the lock. But the intruder won't get far: the homeowners have contracted a security provider to monitor a tight alarm system-or so they thought.
Actually, the security company has recently gone out of business and failed to notify its customers. As the intruder makes his way into the house, no alarm sounds, no police units are notified. The masked trespasser is allowed to continue his prowl snatching valuables, including ...the computer.
This scenario describes an invasion no one would want to encounter at home or the office. However, various companies have experienced an electronic invasion when they worked to set an impenetrable security management program for the corporate network, only to find the security partner unreliable.
According to Gartner, more than $1 billion in venture capital has been pumped into start-up managed security services providers (MSSPs). Last year a few high-profile MSSPs abruptly folded, leaving customers stranded with no recourse. As a result, companies considering outsourcing the management of their information security are understandably wary. Gartner predicts that more MSSP organizations will fail, and numerous mergers and acquisitions will take place before the market settles. For this reason, it is imperative that organizations take precautions to thoroughly analyze potential MSS vendors.
As the final article in a three-part series on outsourcing security, the following article provides guidelines for selecting a dependable managed security services provider.
This
is Part 3 of a 3-part article.
Part
1 noted the benefits of outsourcing security.
Part
2 evaluated the cost of such an outsourcing.
Part
3 provides guidelines for selecting a security services provider.
Finding what You Want
Businesses turn to outsourced security or managed security services (MSS) in order to protect their information assets more efficiently and effectively. MSS encompasses various types of services, including consulting, remote perimeter management, managed security monitoring, vulnerability/penetration testing and compliance monitoring. Choosing a managed security company is similar to choosing any other key IT vendor, except that organizations can't afford downtime if the vendor fails.
Properly identifying and evaluating the risks and benefits of outsourcing security can seem like a daunting task. Considerable study and extreme care must be given to weighing factors of managed security services providers, such as:
- Staying
power of the company
- Expertise
of security professionals
- Range
and flexibility of the services
- Cost
benefits
- Security
philosophy, culture, and people
- Commitment
to service-level agreements
- Support
technology
-
Existence of secure operations facilities
Vendor
Stability
Since the MSSP industry is still fairly young, there are no established standards companies can use to compare providers. For this reason, experts point to the importance of investigating vendors thoroughly before signing any contracts. They recommend requesting documentation and other information to substantiate strengths, experience, and success in the following areas:
- Financial
stability
To withstand the fluctuation of the current economy the provider should be
well-funded and have a wide client base across which to spread costs. Organizations
should ask themselves, "Is there a chance this company will close its doors
within the next two years due to lack of capital?"
- Years
in business
While outsourced security services are fairly new, security products and companies
are not. A provider with several years in the security business offers valuable
experience and stability.
- MSS
experience
Clients should ask for biographies of personnel managing the MSSP. Note background
and leadership skills, among other items. Effective leaders are capable of
motivating team members to be disciplined and dedicated to the detailed security
tasks.
- Customers
While investigating, organizations should ask how long the average client
relationship has lasted and ask for comments from existing customers regarding
the services provided.
- Reputation
Clients
may take note of comments from third parties, such as analysts and industry
trade writers. However, this should not replace a thorough, in-person investigation.
Breadth
of Offerings
Companies evaluating MSSPs should also consider:
- How
new managed security services are implemented
- Technologies,
strengths, and weaknesses in the security services arena
- Expertise
of the MSSP staff
- Related
consulting or educational services offered by the security company
In
addition, organizations should determine whether the MSSP's offerings are flexible
and broad enough to meet the company's current and future needs. Companies can
evaluate MSSP management, monitoring, and response techniques by asking:
- What
products and technology does the MSSP support? Does the provider maximize
use of existing security products by assisting with installation, implementation
and integration?
- How will the
MSS staff operate in an emergency?
- Does the MSSP
have contingencies for quickly adding specialized consultants should the additional
expertise become necessary
- Are the service-level
agreements stringent and flexible? Are there other features that mitigate
potential security breaches, reduce liability, and provide peace of mind?
- Does the MSSP
offer guaranteed response times, including set levels of response per severity
of threat?
Organizational
Support
When determining the level of organizational support that the MSSP can provide, companies should ask:
- Does
the MSSP have access to or own any security operations center (SOC) facilities?
Are the facilities equipped for redundancy? What other features are in place
to ensure robust operations?
- What are staffing
practices? How does the MSSP screen potential employees?
- How is the
staff retained and compensated?
- Is the MSSP
able to hire and retain staff with sufficient skills to support the enterprise?
Does the MSSP require and support continued training?
- How does the
MSSP ensure client confidentiality?
- Is the MSSP
business environment "always-on," ensuring employees watch clients' networks
and ensure protection at all hours?
Companies should also ask about the MSSPs' research and development departments, and funding for these areas:
- How
is the MSSP staff kept abreast of the latest security industry trends? Does
it have a research organization dedicated to staying abreast of the latest
cyber threats, vulnerabilities, hacker techniques, and security developments?
Does it constantly monitor security alerts and advisories?
- What specialized
knowledge and security expertise does the MSSP staff have?
Conclusion
When looking to hire an MSSP, companies should take the time to investigate vendors thoroughly. Some experts recommend conducting an audit when the service starts and then another audit one year later to help benchmark the value obtained from the service.
With the right choice, an outsourced service serves as a security partner who shares the burden and the responsibility of an organization's security management and incident response and enables the company to operate confidently in a connected world.
This
concludes Part 3 of a 3-part article.
Part 1 noted the benefits of outsourcing security.
Part
2 evaluated the cost of such an outsourcing.
Part
3 provides guidelines for selecting a security services provider.
About
the Author
Jim
McLendon, Vice President of Symantec Security Services Global Business
Development, has more than 40 years experience in information security and information
operations. McLendon joined AXENT, and subsequently Symantec through acquisition,
after a distinguished career with the United States Air Force. As a retired
colonel, he has a wealth of expertise and command experience in special operations,
intelligence, and electronic warfare and information warfare. He has managed
large, diverse and geographically separated organizations, with leadership responsibilities
for more than 2,100 highly technical personnel. Much of his career was spent
in locations such as Taiwan, Vietnam, the United Kingdom, and Germany.
McLendon
is a graduate of both the Air Force's Air War College and Air Command and Staff
College. He earned his Masters of Science degree in Human Resources Management
from Troy State University and his Bachelor of Arts degree in Management from
the University of Maryland.
He
can be reached at Jmclendon@symantec.com
or for more information on Symantic Security Systems, go to www.symantec.com.
Thinking of Outsourcing Your Entire Recruitment Process? Here's What You Need to Know | SAP SCM—Stepping Out of Obscurity | Emptoris: Powered Up to Empower Global 2000 Users | Demystifying SAP Solution Manager | Cloud Assets: A Guide for SMBs—Part 3 | I Want My Private Cloud | The Sum of All Malware Fears: Siemens on Stuxnet | Outsourcing in Latin America | Managing the Overflow of E-mails | Distinctions and Benefits of Strategic Sourcing | Should North Americans Send More Software Development Work to China? | Global Product Development Seen as a Boon for Product Lifecycle Management Vendors | A Semi–open Source Vendor Discusses Market Trends | Human Resources for Small to Medium Businesses | Security Risk Assessment and Management in Web Application Security |
Are You Adequately Protecting Your IT Infrastructure Components Inside the Firewall? | The Challenges that Remain for One Aspiring Global Sourcing Vendor | Zooming into the Clothing Retailer Conundrum | No One Said Sourcing Overseas Would Be Easy | The Anatomy of Retail Sourcing Processes | The Promise (and Complexities) of Private Labels | The Blessing and Curse of Global Sourcing and Supplier Management | Off-shoring: Are You Getting Your Money's Worth? | Technology's Role in Strategic Human Resources | Outsourcing Supply Chain Planning Processes | Enterprise Resource Planning Giants Eye the Shop Floor | Enterprise Software Product Outsourcing: A Fresh Perspective for Mid-market Vendors | Selecting an Outsourcing Provider—Art or Science? | Offshore Outsourcing: Is There a Method to the Madness? Planning for Offshore Outsourcing | Remote Implementations--Why They Can Make $ense | Consumers Shop Everywhere: Understanding Multichannel Sales | Who Else is Using Your Wireless Network? | Information Security Firewalls Market Report
Part Two: Current Market Trends and User Recommendations | Information Security Firewalls Market Report
Part One: Market Overview and Technology Background | Where Has All the Service Gone? | Automated Enterprise: Many High-ROI Opportunities | Secure Transfers of Large Files Over the Internet Using YouSendIt | What's Your Global Market Price? | The Many Flavors of Application Software Outsourcing | Fed Warms Up to ERP Spending, but Will Contractors and Their ERP Vendors Comply?
Part Two: Challenges and User Recommendations | Feds Warms Up to ERP Spending, but Will Contractors and Their ERP Vendors Comply?
Part One: Event Summary and Market Impact | International Trade Logistics Challenge Automated Global E-Trading | Product Review: GFI's LANguard Network Security Scanner | The Best ACT! Is Still to Come | HIPAA-Watch for Security Speeds Up Compliance
Part Two: Phase III and IV, and Product and User Recommendations | HIPAA-Watch for Security Speeds Up Compliance
Part One: Vendor and Product Information | PLM Coming of Age: ERP Vendors Take Notice | Leveraging Technology to Maintain a Competitive Edge During Tough Economic Times -- A Panel Discussion Analyzed
Part Three: Applications Hosting | Resilient Supply Chains: The Next Frontier | Understanding the True Cost of Sourcing | EAM Versus CMMS: What's Right for Your Company? Part One | Supply Chain Portfolio 2004 | Outsourcing 101 - A Primer
Part Three: Approaches and Recommendations | Outsourcing 101 - A Primer
Part Two: Outsourcing Categories | Outsourcing 101 - A Primer | Using PKI to Protect Your Business Information | The Strategic Importance of Asset Management
Part One: Changing Attitudes | The CyberAngel: Laptop Recovery and File Encryption All-in-One | Evaluating Enterprise Software-Business Process or Feature/Function-Based Approach? All the above, Perhaps?
Part Three: Knowledge Bases and User Recommendations | Supply Chain Decisions - Make Sure You Understand the Dollars and Sense | InsideOut Firewall Reporter Unravels the Mysteries of Your Firewall Logs | Inventory Planning & Optimization:
Extending Your ERP System
Part Two: How It Works | The Future of Secure Remote Password (SRP)
Part Two: Overcoming Obstacles to Success | The Future of Secure Remote Password (SRP) | Product Life Cycle Management (PLM) in ProcessPart 3: Process PLM Requirements | Integrated Security: A New Network Approach
Part Two: The Shift Toward Integration | Integrated Security: A New Network Approach | Vendor Analysis: Kaspersky Anti-Virus Products Examined | 6 Immediate Business Improvements Offered by an Online SRM System:
Part 3: Other Points to Consider | Agilisys Continues Agilely Post-SCT
Part 2: Market Impact | Legacy Single Sign-On: Novell, Evidian, IBM, PassGo, or Computer Associates? | Fourth Shift's evolution Within SoftBrands' DemandStream | OKENA Brews Up a StormSystem that Secures All Applications | Incident Handling and Response Capability: An IT Security Safeguard
Part 2: Establishing the Capability | Incident Handling and Response Capability: An IT Security Safeguard
Part 1: Are You Ready to Support an Incident Response Capability? | Outsourcing Security
Part 2: Measuring the Cost | Outsourcing Security
Part 1: Noting the Benefits | Vendor Review: SecureWave Protects Microsoft Operating System Platforms | IPSec VPNs for Extranets: Not what you want to wake up next to | Thanks to a Smart Little Company called Lexias, CIOs Can Now Empower their Users to Assist in eBusiness Security | Feds Buckle Down on Customer Information Security | Identix Leads Biometric Authentication | Bootcamp for the Pros; Why Ernst & Young Will Lead Security Auditing Standards | Vendor Analysis: Interliant's Security Vulnerability Assessment | OKENA Pioneers Next-Generation Intrusion Prevention | Social Engineering Can Thwart the Best Laid Security Plans | Application Single-Sign On: Netegrity, Securant, or Evidian? | Lost Your Laptop? The CyberAngel® Brings It Back | InsideOut Makes Firewall Reporting Useful | Are ASP Applications Right for You? Part 2: Decision Criteria | Are ASP Applications Right for You?
Part 1: Decision Factors | The SOAP Opera Progresses - Helping XML to Rule the World | SAPped Catalyst Warns in Wake of CEO Departure | New Dimensions in EC and SCM Part 4: Using E-Procurement to Leverage Volume | SCT Corporation: The Last Viable Process Manufacturing Vendor Standing? | Talarian and NextSet Team for B2B Solutions | So You Want to Outsource Your Messaging? | Tempest Creates a Secure Teapot | E*Trade Ignores Private Security Warning, But Public Hullaballoo Gets Response | My Network Engineers are Talking about Implementing Split DNS. What Does that Mean? | Human-Machine Interaction Company Ramps Up Firewall Product Line | Security Information Market Heading for Growth | Alibris Charged with Intercepting Email | Cart32 in Need of Duct Tape | Deutsche Telekom to Acquire VoiceStream Wireless | Study Shows: FBI Alienates Industry Security Experts | Firewall Cowboyz Set the Stage to Free Innocent Convict | Symantec Swallows AXENT; Takes on Network Associates | Novatel Wireless and Diversinet Team Up to Provide Security for Wireless Modems | Windows 2000 Bug Fixes Posted | Baltimore Technologies Doubles Revenues, Offers World-Class PKI Hosting | The Whys and Hows of a Security Vulnerability Assessment | Earthlink Leads the Way in DSL Security | PKI and Biometrics Ready for Take-Off | Secure Transport of EDI and XML for Trading Exchanges | Can You Trust Entrust? | Standard & Poor's Announces Security Certification | Agilera: Making E-Business Agile | Intel Outside? | Check Point Leads Firewall Market | Fighting Cybercrime on the Internet | NetWare for Small Business – NetWhy? | Let Your Hard Drives Tell You Where they Are! | E&Y Spins-Off eSecurity Online and Unveils Security Vulnerability Assessment Services | With Record Revenues, AXENT Puts Down a Solid Fist | NAI Will Pay Trend $12.5 Million Resulting from Law Suit | Sub7 Tells Chat Rooms All Your Stuff; F-Secure Leads the Battle | E-Cash Rollout Replaces Amex | GSA Schedule Partnership Gets Network-1 in the Door | United Messaging Extends Global Reach ~ Opens Offices in London and Amsterdam | Los Alamos Loses Top-Secret Information, Again! | Standard & Poor's Exposes Customers' Security | The AS/400 Takes You Securely Where You Want to Go | Trend Micro Steps into PDA/Wireless AntiVirus Information Market | CryptoSwift Takes Rainbow Revenues Up 620% | Smart Shoppers Go Abroad for Affordable Information Security Programs | Anti-Virus Advisories: Rating Them | The 7 Habits of Highly Effective Security | Fischer’s Prio! SecureSync ~ A Solution to Enterprise Directory Chaos | E&Y+ASP=BSP: It’s Not Algebra, But It Adds Up To Something Big | Abandon All Insecurity, Ye Who Enter Here | Top 10 Excuses For Not Securing Your Website or Network | Ernst & Young Leads Big 5 in Security | 6 Days After Advisory Posted, AboveNet Gets Hit | A Firewall is Cheaper Than a Lawyer | Fixing Security Backdoors:
Red Hat 1, Microsoft 0 | WAP Forum Specifies RSA’s RC5 Encryption For Wireless | Netpliance Responds Quickly to Hardware Hack | USi to Offer Managed Messaging for U.S. Feds | MCI WorldCom and Critical Path Power into Outsourced Messaging | Security Stocks Burn Rubber | DSL Provider Scoops up Netscreen Firewall Goldmine | Cyclone Untangles Digital Partnerships | Security Begins on Your Desktop | Network Associates Hopes to Rekindle the Flame | Hacker Publication Gets Top Defense Attorney | PSINet and HP ~ OpenMail as an Outsourced Global Messaging | Saudi Arabian Network Security Provokes Local Considerations | United Messaging ~ Ready…Set…Outsource! | Gosh, There’s a Bug in Windows 98 | Robust Systems are Built from the Bottom Up | DOJ Keeps Low Profile on Curador; Protect Your IIS Server Today! | Security Breach: Now What? | Concur's Customers Can Network Now | Rentable Procurement | Total Uptime Guarantees? It Must Be A New Millennium! | Analysis of Critical Path's Alliance with yesmail.com for Permission Email | Sendmail, Inc. and Disappearing, Inc. Team Up to Add Enhanced Security | Is Your Financial Transaction Secure? | Compaq, HP, IBM, Intel and Microsoft Create New PC Security Alliance | Expect Boom in Electronic Signatures | Secure Your Search Engine | President Proposes Security of Medical Records | Sendmail Takes Security to the Next Level with Version 3.0 for NT | CheckPoint & Nokia Team Up to Unleash a Rockin' Security Appliance | Trend Micro Anti-Virus Server for Microsoft Exchange ~ A Secure Choice For Enterprise Wide Anti Virus Protection. | Security Snafu at NetBank | Freeware Vendor's Web Tracking Draws Curses | The "S" in SAP Doesn't Stand for Security (that goes for PeopleSoft too) | Content Technologies releases MIMEsweeper PolicyPlus | Hackers Will Be Out in Full Force On New Year's Eve | Analysis of Virgin Net's Hacker Scare | Network Associates RePositions Itself as a Security E-Village | Lexiguard™: The Coming "Adobe Acrobat" of Encryption | CyberPeepers from Korean Sites Peek at U.S. Networks | Would You Hire a Hacker? What Would Your Mother Say? | @Home Scans Own Customers | CIOs Need to Be Held Accountable for Security | New Market for Security Insurance | At Least Your Boss Can't Read Your Home E-mail, Right? Wrong! | PrettyPark Virus Litters Cyberspace | Packard Bell / NEC Leads Secure Etoken Deployment | Congress Acknowledges Outdated Banking Laws | How Secure is Your E-Mail? | Trend Virus Control System - A Centralized Approach to Protection | VPNs Are Hot, but What Are They? | ATM Machines Hacked in Moscow | How To Mitigate Holiday Cybercrime | Surf's Up at Akamai |