MSSPs: At your service
- Article 5 of 33
- SC Magazine, November 2006
With security becoming increasingly complex to manage, formerly reluctant organisations are embracing outsourcing, says Rob Buckley.
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages
Patch prioritisation is also seeing increasing interest. With so many patches for a multitude of applications and operating system components being produced, organisations are now willing to pay MSSPs to prioritise patches, so that the most urgent releases are administered immediately.
Ryan Kalember, MSS consultant at VeriSign, sees it as part of the “third phase” in the evolution of managed security services.
“MSS was originally about filling skills gaps and really only addressed small and medium-sized businesses,” he says. “The next phase was about getting more value out of significant investments in technology, such as intrusion detection systems, which generates loads of alerts that are useless unless anyone looks at them and does something. The second evolution was when large companies got the religion. The third is more about being proactive and getting insight into areas.”
As Reed Health's Brown shows, customers are increasingly looking for greater sophistication from their MSSPs. Medium-sized and larger organisations in particular want a relationship that is more of a partnership. “We don't get anywhere unless we have a relationship with customers and in-depth meetings,” confirms Russell Poole, director of professional services at Netstore.
CyberTrust's Vansevenant says his company typically has monthly review meetings with clients, where both parties discuss what actions might be needed. This not only improves the organisation's security, it also helps to alleviate any worries the customer might have about handing security over to a third-party.
A question of trust
These concerns are not entirely unfounded. When US-based MSSP Pilot Network Services went bankrupt in 2001, more than 200 customers were forced to find new MSSPs or take security back in-house. At the time, Pilot was an eight-year-old company with around 400 staff, so seemed a reasonable bet. Yet it went under so swiftly, clients found themselves sending their own staff to man Pilot's operations centre while they tried to recover, or bringing in ex-Pilot employees as consultants to help recover their lost services. The history of IT is littered with the debris of outsourcing deals that went wrong and needed to be “backsourced”, such as Sainsbury's deal with Accenture and JPMorgan Chase's IBM deal.
Clearly, as with any outsourcing service, some kind of back-up plan is prudent, even if, compared with 2001, there are now far fewer reasons for concern about the average MSSP. The slow but steady weeding out of minor players over the years and the acquisition of major players, such as RedSiren, ISS, NetSec and GuardedNetworks, by even larger players including Symantec, IBM and MCI has made the likelihood of a collapse far more distant.
The commoditisation of certain services, such as firewalling, also makes it easier to switch supplier when deals go bad, as do “in-the-sky” services that rely on various rules on remote systems, which can be easily duplicated.
A careful balancing act
But deciding how much of the company's security to hand over to an MSSP is itself part of Verisign's Kalember's third phase: risk management.
Determining the exact balance between in-house and outsourced security and deciding what aspects of security to worry about are now necessary requirements of almost any IT security department's job.
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages