In-Depth
Top Tips for Picking a Managed Security Services Provider
Choosing a security services provider can be tricky. We explain the key decisions and considerations you must make.
By Grant Geyer
The managed security services market has come a long way. In its early days, managed security services providers (MSSPs) were typically smaller companies that offered large enterprises remote security capabilities. However, as the threat landscape grew more complex, compliance regulations increased, and information protection became a boardroom issue, the MSS market also evolved to meet changing demands.
As more organizations outsource some or all of their security rather than manage it in-house, finding the most appropriate MSSP is a business-critical decision. With such a wide range of MSSPs and their offerings available today, enterprises must understand and carefully weigh their security management options to ensure they select the right provider for their organization.
The Providers
Today's MSSP market is comprised of boutique pure-plays, enterprise pure-plays, telecommunications providers, and strategic outsourcers. Each category of provider offers benefits and challenges, so it is important to evaluate these providers in light of their suitability to an organization.
For example, the smaller, boutique pure-play providers typically specialize in managed security services, and some may also offer professional services on a small scale. Of course, security specialization is one of the greatest advantages of using a pure-play MSSP. However, while these boutique pure-plays have expertise in security, they might not have the scalability to address the entire range of security needs of many businesses. More importantly, the risks are often greater with boutique pure-plays. These smaller organizations may go out of business without warning, which leaves their customers unprotected until they can find another provider.
Like their boutique counterparts, enterprise pure-plays are also specialists in security. However, these organizations typically provide MSS as part of a much larger set of solutions. With more resources available to devote to addressing customer issues, working with an enterprise pure-play provides enterprises a partner that can help effectively manage risk over both the short and long term.
A growing number of telecommunications providers now offer MSS as a component of other outsourced services. These providers often include a variety of built-in security capabilities, from firewalls to antivirus and intrusion detection. Organizations that work with a telecommunications provider enjoy a full turn-key solution, which minimizes the number of vendors they need to work with to get a problem resolved. However, organizations that require greater checks and balances between their security and IT functions will likely need to also work with an independent MSS pure-play provider that can provide much-needed validation.
Additional Considerations
Once businesses have selected the most appropriate category of MSSP, they can further evaluate vendors by considering several additional factors.
Perhaps one of the most important criteria to take into account when examining providers is longevity, particularly for organizations looking for a partner that will weather economic downturns and industry shakeouts. To that end, organizations are advised to partner with a stable vendor that has a proven track record of delivering quality services to a large number of clients over a long period of time.
Security and management experience is also vital. An MSSP with security experts who come from a range of backgrounds -- including industry, government, and even the military -- is more likely to have the broad expertise needed to address a sophisticated, changing threat landscape. Management expertise is also essential to ensure that business objectives are understood and addressed.
Ensuring a smooth and effective managed security program also requires an MSSP that provides broad support for multiple technologies. Some providers only manage specific security technologies, while others provide comprehensive multivendor support. In addition, the technology used to analyze and correlate data collected from multiple devices should enable rapid response while ensuring the scalability to support a growing number of managed devices. This technology should be supported by a security analyst who can separate real threats from false ones.
Security management processes are also an integral component of an effective MSSP offering. A provider must be able to deliver documented standards and policies for handling operations and threats as well as a variety of attack alert notification methods to help ensure that risks can be addressed in real time. What's more, the alerting process must be integrated with the capabilities of the organization's incident response processes and plans to streamline and enhance response.
Reporting capabilities play a key role in managed security services. Reporting should provide an enterprise-wide, real-time view into an organization's security posture and the effectiveness of the managed services. These reports should include information from any managed device as well as information about changes made to the devices, data from recommended responses, and details on the latest threats.
Organizations are also advised to look for an MSSP whose facilities, processes, and procedures have been validated and certified by a third-party auditor in the form of an ISO27001 and/or SAS70 Type II audit. These certifications highlight the emphasis the MSSP places on being a trusted advisor and demonstrates the provider's commitment to ensuring the integrity of its customers' information.
Finally, while nearly all large MSSPs have a security operations center (SOC), the most effective providers operate multiple SOCs from which they can globally monitor and manage security issues across an extensive client base. These centers must be run 24x7x365 not only to keep up with the latest threats but also to ensure business continuity. Organizations should be provided a full tour of the SOC, a thorough look at the technology in use, and opportunities to engage in dialogue with security experts.
Clearly, selecting the most appropriate MSSP requires careful consideration of both short- and long-term benefits. Each organization will come to a different conclusion about which type of provider is right for them.
Ultimately, however, the best choice will be the MSSP that allows the organization to maintain a strong security posture while enabling it to meet evolving needs in an increasingly complex, competitive business environment.
- - -
Grant Geyer is vice president of global managed security services at Symantec Corp. You can reach the author at grant_geyer@symantec.com.