Technology Evaluation Centers

Outsourcing Security Part 3: Selecting a Managed Security Services Provider

Jim McLendon - 4/11/2002

Introduction

It's the middle of the night. A shadowed figure crouches by the window. He retrieves a menacing instrument and begins fiddling with the lock. But the intruder won't get far: the homeowners have contracted a security provider to monitor a tight alarm system-or so they thought.

Actually, the security company has recently gone out of business and failed to notify its customers. As the intruder makes his way into the house, no alarm sounds, no police units are notified. The masked trespasser is allowed to continue his prowl snatching valuables, including ...the computer.

This scenario describes an invasion no one would want to encounter at home or the office. However, various companies have experienced an electronic invasion when they worked to set an impenetrable security management program for the corporate network, only to find the security partner unreliable.

According to Gartner, more than $1 billion in venture capital has been pumped into start-up managed security services providers (MSSPs). Last year a few high-profile MSSPs abruptly folded, leaving customers stranded with no recourse. As a result, companies considering outsourcing the management of their information security are understandably wary. Gartner predicts that more MSSP organizations will fail, and numerous mergers and acquisitions will take place before the market settles. For this reason, it is imperative that organizations take precautions to thoroughly analyze potential MSS vendors.

As the final article in a three-part series on outsourcing security, the following article provides guidelines for selecting a dependable managed security services provider.

This is Part 3 of a 3-part article.

Part 1 noted the benefits of outsourcing security.

Part 2 evaluated the cost of such an outsourcing.

Part 3 provides guidelines for selecting a security services provider.

Finding what You Want

Businesses turn to outsourced security or managed security services (MSS) in order to protect their information assets more efficiently and effectively. MSS encompasses various types of services, including consulting, remote perimeter management, managed security monitoring, vulnerability/penetration testing and compliance monitoring. Choosing a managed security company is similar to choosing any other key IT vendor, except that organizations can't afford downtime if the vendor fails.

Properly identifying and evaluating the risks and benefits of outsourcing security can seem like a daunting task. Considerable study and extreme care must be given to weighing factors of managed security services providers, such as:

  • Staying power of the company
  • Expertise of security professionals
  • Range and flexibility of the services
  • Cost benefits
  • Security philosophy, culture, and people
  • Commitment to service-level agreements
  • Support technology
  • Existence of secure operations facilities

Vendor Stability

Since the MSSP industry is still fairly young, there are no established standards companies can use to compare providers. For this reason, experts point to the importance of investigating vendors thoroughly before signing any contracts. They recommend requesting documentation and other information to substantiate strengths, experience, and success in the following areas:

  • Financial stability
    To withstand the fluctuation of the current economy the provider should be well-funded and have a wide client base across which to spread costs. Organizations should ask themselves, "Is there a chance this company will close its doors within the next two years due to lack of capital?"

  • Years in business
    While outsourced security services are fairly new, security products and companies are not. A provider with several years in the security business offers valuable experience and stability.

  • MSS experience
    Clients should ask for biographies of personnel managing the MSSP. Note background and leadership skills, among other items. Effective leaders are capable of motivating team members to be disciplined and dedicated to the detailed security tasks.

  • Customers
    While investigating, organizations should ask how long the average client relationship has lasted and ask for comments from existing customers regarding the services provided.

  • Reputation
    Clients may take note of comments from third parties, such as analysts and industry trade writers. However, this should not replace a thorough, in-person investigation.

Breadth of Offerings

Companies evaluating MSSPs should also consider:

  • How new managed security services are implemented
  • Technologies, strengths, and weaknesses in the security services arena
  • Expertise of the MSSP staff
  • Related consulting or educational services offered by the security company

In addition, organizations should determine whether the MSSP's offerings are flexible and broad enough to meet the company's current and future needs. Companies can evaluate MSSP management, monitoring, and response techniques by asking:

  • What products and technology does the MSSP support? Does the provider maximize use of existing security products by assisting with installation, implementation and integration?

  • How will the MSS staff operate in an emergency?

  • Does the MSSP have contingencies for quickly adding specialized consultants should the additional expertise become necessary

  • Are the service-level agreements stringent and flexible? Are there other features that mitigate potential security breaches, reduce liability, and provide peace of mind?

  • Does the MSSP offer guaranteed response times, including set levels of response per severity of threat?

Organizational Support

When determining the level of organizational support that the MSSP can provide, companies should ask:

  • Does the MSSP have access to or own any security operations center (SOC) facilities? Are the facilities equipped for redundancy? What other features are in place to ensure robust operations?

  • What are staffing practices? How does the MSSP screen potential employees?

  • How is the staff retained and compensated?

  • Is the MSSP able to hire and retain staff with sufficient skills to support the enterprise? Does the MSSP require and support continued training?

  • How does the MSSP ensure client confidentiality?

  • Is the MSSP business environment "always-on," ensuring employees watch clients' networks and ensure protection at all hours?

Companies should also ask about the MSSPs' research and development departments, and funding for these areas:

  • How is the MSSP staff kept abreast of the latest security industry trends? Does it have a research organization dedicated to staying abreast of the latest cyber threats, vulnerabilities, hacker techniques, and security developments? Does it constantly monitor security alerts and advisories?

  • What specialized knowledge and security expertise does the MSSP staff have?

Conclusion

When looking to hire an MSSP, companies should take the time to investigate vendors thoroughly. Some experts recommend conducting an audit when the service starts and then another audit one year later to help benchmark the value obtained from the service.

With the right choice, an outsourced service serves as a security partner who shares the burden and the responsibility of an organization's security management and incident response and enables the company to operate confidently in a connected world.

This concludes Part 3 of a 3-part article.

Part 1 noted the benefits of outsourcing security.

Part 2 evaluated the cost of such an outsourcing.

Part 3 provides guidelines for selecting a security services provider.

About the Author

Jim McLendon, Vice President of Symantec Security Services Global Business Development, has more than 40 years experience in information security and information operations. McLendon joined AXENT, and subsequently Symantec through acquisition, after a distinguished career with the United States Air Force. As a retired colonel, he has a wealth of expertise and command experience in special operations, intelligence, and electronic warfare and information warfare. He has managed large, diverse and geographically separated organizations, with leadership responsibilities for more than 2,100 highly technical personnel. Much of his career was spent in locations such as Taiwan, Vietnam, the United Kingdom, and Germany.

McLendon is a graduate of both the Air Force's Air War College and Air Command and Staff College. He earned his Masters of Science degree in Human Resources Management from Troy State University and his Bachelor of Arts degree in Management from the University of Maryland.

He can be reached at Jmclendon@symantec.com or for more information on Symantic Security Systems, go to www.symantec.com.