MSSPs: At your service
- Article 5 of 33
- SC Magazine, November 2006
With security becoming increasingly complex to manage, formerly reluctant organisations are embracing outsourcing, says Rob Buckley.
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages
“There are one or two things I would always hold out against outsourcing,” says Mick Creane, a security consultant at BT. “One is policy. The other is responsibility.” An organisation can outsource security to an MSSP, but only it can decide what to do in the event of an incident. “With any outsourcing deal, you have to understand the reasons why you're doing it, then set the objectives and requirements,” warns Creane. “What are your crown jewels that you have to keep in-house? What are realistic service levels? How will you monitor them?”
As different kinds of threats emerge in the future, MSSPs are going to change the services they provide to match. Many will specialise, others will remain generalist, one-stop-MSSPs that will provide all the services a client needs. Whatever happens, the market for their services seems only likely to grow.
CASE STUDY: SMITHS
With five divisions including aerospace, specialty engineering and security screening, global engineering group Smiths's security needs vary from “the sublime to the ridiculous”, according to Dave Southwood, group infrastructure and IT security manager. Its manufacturing division, which produces, among other things, seals for its aerospace products, clearly needs less security than divisions handling government contracts, and so had evolved security systems to match.
Six years ago, Smiths realised that the varying security arrangements across divisions were undermining those parts that had the tightest requirements.
So the company chose to re-architect its security so that every division's network would have the same minimum standard as that needed by the most secure.
However, upon examining the staffing and skills levels required to provide this level of security, 24/7, across all its global offices, Smiths discovered that the cost would be prohibitive.
The company already had experience of outsourcing, having contracted MCI to look after its wide area network infrastructure. Smiths chose CyberTrust as its MSSP. Fundamental to the change was a reduction in the number of internet gateways from 150 to two to make it easier to control internet traffic. CyberTrust also set up firewalls, IDS, anti-virus and content filtering at the perimeter, all of which it manages.
“It's ideal for us,” says Southwood. “Now, instead of chasing around updating AV and perusing firewall logs, we can spend more time looking at processes.”
Southwood advises that to benefit from an MSSP, an organisation has to be happy with the provider, has to know what it wants and has to lay down an explicit list of requirements and service-level agreements from the beginning.
IBM AND ISS: WISE MOVE?
If there's one common theme to analysts' reactions to IBM's planned $1.3 billion (£700 million) acquisition of security vendor ISS, announced in August, it's slight bafflement. Khalda Parveen, senior research analyst at Gartner, comments: “I get it from the services perspective, but not the product perspective.”
Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages