- Longevity. A reliable MSSP should have a proven track record of delivering quality security services over a long period of time.
- Annual revenues. Check the financial stability of the MSSP. Gartner estimates that a publicly traded MSSP should have more than $10 million in annual MSSP contracts. This figure indicates a base of revenue that can support growth and enhancement of services.
- State-of-the-art facilities. A reliable MSSP will have two or more security operations centers that run 24x7x365. This allows for cross monitoring, backup in the event of disaster, and constant compliance with security standards.
- Management credentials. Look for MSSP management and staff with backgrounds in the industrial, military and government sectors. Check for MSSP staff education and certifications to see whether they evoke confidence, whether personnel are permanent or contracted, and whether they are vetted.
- References. Providers tend to give only those references that are sure to check out well. On an on-site visit, be sure to speak to some of the MSSP’s employees. They may give you more candid information than your main contact would.
- Security management processes. An MSSP should provide documented standards and policies for handing operations and threats. Additionally, the MSSP should offer a variety of attack alert notification methods that will allow you to mitigate risk in real time.
- Global intelligence. To provide real-time alerts and timely recommended actions, an MSSP should have security experts who monitor and analyze data from customers around the world.
- Breadth of services. Besides providing a wide variety of services, an MSSP should be able to meet security needs for a broad selection of companies in different sectors.
- Real-time analysis and response. An MSSP should be able to separate false positives from real security threats by correlating, analyzing and interpreting large volumes of network security data accurately in real time.
- Vendor neutrality. Personnel at an MSSP should include specialists with certification across a broad range of products from a variety of security vendors. This allows the MSSP to select best-of-breed solutions without bias.
- Auditing. A reliable MSSP should have a third-party auditor who validates and certifies procedures, practices and facilities. An audit report should be readily available to customers on a regular basis and/or upon request.
- Reporting. Reports should be detailed enough to help you determine the cost-effectiveness of the managed services and validate security efforts. The MSSP should be able to consolidate and analyze security log data. It must also be capable of stringent compliance reviews.
- Consulting. Due to the continuous management and monitoring of the security operations, the MSSP should be capable and willing to help develop a company-wide security policy that sets access control rules for customer employees.
- Contract. Is the service time-based and monolithic or can the ultimate objective be broken down into small deliverables purchased a la carte? Companies should consider whether there are economies built into the monolithic contract or whether it’s preferable to purchase small deliverables without committing to a monolithic fee that covers a large project or period of time.
If you outsource, you’ll want to make certain that the outsourcing deal offers you a proven return on investment. Realizing a concrete ROI may take time, but you can use these guidelines to assess your potential ROI.
- Contract. Once again, consider the contract and whether it’s monolithic or flexible. Consider what your firm needs for adequate security and what you can afford. Is it advantageous to pay a large sum for a complete service and long-term project or pay for smaller deliverables that are achievable, sufficient and less expensive?
- Consistent expertise. A service provider may show up for a sales meeting with top experts, but then deploy different personnel once the contract is signed. When that happens, a customer does not get the benefits expected. It’s important to find out the level of the service people to be assigned to your contract.
- Performance measurement. Define goals, deadlines, performance benchmarks and other deliverables and track MSSP performance. Ideally, the MSSP should do tracking while the customer does spot checks.
- Complaint handling. It is unrealistic to believe that there won’t be problems. Unfortunately, unless your contract clearly delineates a method for handling complaints, they won’t be handled quickly and efficiently. Monetary compensation and money-back guarantees are ways of handling complaints.
- Match cultures. Is the MSSP’s culture inclusive or exclusive? The best service provider offers information on demand and makes sure that questions don’t languish unresolved. This can involve service, equipment, personnel, subsidiaries and anything that affects your security.
- Travel expenses. Excessive travel and related expenses can negatively affect handling of security issues and run up related costs. It’s important to clarify prior to signing on with the MSSP how travel will be dealt with.
- Assess services. Auditing should provide you with a clear picture of what types of security issues were effectively handled by the MSSP and how many individuals were involved. Monitoring these issues and related costs should provide you with an understanding of which services under contract with the MSSP are used most and which services may not be necessary and might be better handled (at a cost savings) in-house.
Bigger Isn’t Better
One of the reasons that outsourcing network security is a controversial subject is that it hasn’t proven its worth to most major companies. However, major companies are not the only fish in the sea.
Small companies with less than 100 employees and online companies that deal primarily in e-commerce and don’t have large IT staffs consider MSSP beneficial because they get state-of-the-art security without having to maintain a large technical staff and worry about security glitches and vulnerabilities.
Mid-sized companies with 100 to 1,000 employees and $100 million to $1 billion in revenue comprise the most rapidly growing segment of industry turning to MSSP. They generally don’t have large, dedicated security staffs, and they use MSSPs to offload many of the routine security functions and time-consuming reports that they just don’t have manpower to complete.
Larger companies frequently have sufficient staff assigned to network security to handle it internally. However, with new vulnerabilities and legal requirements, large firms are also looking seriously at outsourcing and whether it can be beneficial to them.
We can conclude that there isn’t a “best” model for outsourcing network security. Overall, time and experience will be the best test of whether outsourcing network security is a viable alternative for companies, and which companies will benefit the most from it.
D.E. Levine, CISSP, CFE, FBCI, CPS is a contributing editor and frequent contributor to ST&D. She has co-authored several security books and can be can be reached by e-mail at dlevine@techwriteusa.