Choosing an MSSP

• Article 1 of 1
• Password, January 2007

First, decide what needs securing. This may seem obvious, but until you know what your assets are, what the risks to them are, how much defence they need and what it will take to defend them, you can’t be sure what security you need.

After taking an inventory and drawing up a security policy, you can then decide what types of security you’ll need and whether you want or can afford to do it yourself.

“I’m adamant about not using third parties, but it’s impossible to do everything yourself,” says Paul Brown, group IT manager at healthcare recruitment agency Reed Health. “Setting up VPNs can be extremely boring, and getting someone doing just that will cost £40,000-45,000. You can outsource for a lot less.”

And Dave Southwood, group infrastructure and IT security manager at manufacturer Smiths, says, “In manufacturing, we never stop: we follow the sun. Once we added up the numbers for security staff, 24/7/365, we decided the cost would be quite phenomenal. By outsourcing, we were getting savings as well as benefits.”

To decide what risks you may be facing, you should see what your security infrastructure’s logs reveal about attempted intrusions, if you have them. If you don’t have any existing information to base the decisions on, using trial and demo services of security equipment and services can help.

There will almost certainly be some “nice to haves” that you might be tempted to add to the list at this point so use this process to see whether you really do need them. If you’re a high profile company, you might also find that the skills necessary to demonstrate compliance with legislation significantly increase costs. If so, a suitably global and experienced MSSP is worth considering.

Once you’re clear about what you need to outsource, you can look for an MSSP. It’s usually worth finding an MSSP of comparable size to your organisation: a small organisation might find itself low priority at a large MSSP and a large organisation will find its needs might well swamp a small MSSP. You can also consider ‘blended’ approaches – you can mix your own team with those of an MSSP, pick multiple MSSPs to perform different tasks, pick MSSPs that specialise in particular services or the hardware you already have and so on. However, blended approaches require increased in-house management, the one thing that you should never outsource.

As well as having the resources to deal with your requirements, an MSSP should be able to advise and work with you as a partner, giving you regular updates on services, threats, possible problems and so on. Indeed, while looking for an MSSP, you may find prospective partners are able to advise you on how best to get the most from your budget and what you might genuinely need to worry about. Reed Health’s Brown, for example, now uses his MSSP not just for its security provisioning and management, but also for advice on security threats. “It’s like having an expert on the team that I can’t afford.”

You should also ensure there’s sufficient incentive through service level agreements that your security remains their priority. Smith’s Southwood advises potential MSSP customers, “You’ve got to be happy with the organisation you’re dealing with. You have to know what you want, with SLAs that lay down the statement of requirements.” Make sure you can update the SLAs at a later date and you have ways of determining if the MSSP is meeting SLAs: a “penetration testing” company, for example, can try to penetrate the network security provided by the MSSP to ensure it’s doing the job promised.

Picking an MSSP is as much about determining what you need as it is about picking a provider. Choose a company that best fits with your organisation and can be your partner, not just a black box into which you throw your security worries.