Q&A: Top Tips for Outsourcing Security

Symantec's head of Managed Security Services offers his perspective on what you should look for when considering a move to outsourced security

What’s your take on outsourcing? No, not the contentious debate around whether American jobs get shipped overseas, but rather how companies can augment or supplant their information security resources. Think of it as outside help.

When it comes to security, many companies need it. An average of seven new vulnerabilities are discovered daily, and increasingly security managers are under the gun to remediate applications and devices quickly and effectively. No surprise, then, that even though security outsourcing only appeared a few years ago, the outsourcing market is in the midst of 19 percent annual growth, says Gartner Group, with annual revenues expected to grow from $547.8 million (in 2002) to $1.2 billion by 2006. In-Stat has a less-conservative prediction of almost $4.9 billion by 2006.

With more companies turning to managed security service providers (MSSPs) for help, Security Strategies spoke with Jonah Paransky from Symantec Managed Security Services about what they should look for when choosing a outsourcing service.

How do most companies approach outsourcing, or working with a managed security services provider today?

The original thought was they’d be very wary around partnering around security issues, but … I think the conversation shifted … to co-sourcing, [where] we’re providing valuable input back into their security teams, not trying to take away their mission-critical functions …. [Just look at] our Internet Security Threat Report. What it shows is the threat, severity, and number of attacks is steadily increasing, and … [companies want] a partner to improve their security and help prevent these attacks.

Is this trend toward using an MSSP specific to any industries or company sizes?

What we’ve found for even our largest financial services customers that might have large security staffs—we give them the information their staffs might need to better secure their systems over time … So they can spend their valuable time not having to hunt … knowing which systems to patch [first].

What drives a company to use your services initially?

It can be a large-scale infection that has caused a lot of loss inside their organization … auditors’ recommendations … a hack attack, or just [an evolution] within the organization itself.

How can customers know what they’re going to get—and continue to get—with an MSSP?

[A] rigorous third-party audit is probably the most critical mechanism. What we’ve done—and what we’ve found resonates very strongly with our customers—is going through several rigorous third-party audits so that we … [show we] say what we do and do what we say …. We also have BS [British Standard] 7799 in our operations centers around the world, proving that we take information security management systems as seriously as our customers do, and we also have SAS-70 Type 2.

What’s SAS-70 Type 2?

The AICPA [American Institute of Certified Public Accountants] put out an audit attestation requirement … and the one that we found most interesting is SAS-70 Type 2, for Statement of Accounting Standards Number 70. It’s in essence like a financial audit but done on IT controls. We’re the only MSSP that has both BS 7799 and SAS-70 Type 2 [certification]. Also, customers can rely on our SAS-70 Type 2 report as part of their internal audit process [for example for Sarbanes-Oxley] … instead of having to send someone out to our site [to perform the test as part of the company’s overall audit].

How important is it to visit a potential MSSP’s facilities?

Be sure to visit the provider. I don’t think you can make an effective choice [of] a security partner without meeting the people who do it, and seeing how their approach works. We like to say there’s a lot of marketecture --- people in their marketing can say whatever they want.

Are organizations today tending to outsource all security or just parts?

In the North American market, I think there’s definitely an understanding of partnering with an MSSP … In general we’re not finding most organizations want to abdicate their responsibilities [with] security. What they want is … to help make their [existing] security resources more effective.

Now, other customers, some have done large enterprise [mergers] and outsourced [IT afterwards], and security just goes with it, but we’ve seen interest in … bringing in an outside security partner as well. From a checks-and balances-perspective, many of our customers are finding it’s helpful to have a large IT outsourcer and a separate security provider to provide those two viewpoints. It’s just a classic checks-and-balances, a separation of duties issue.

What’s more typical now—having you help or run the whole security show?

Often organizations will bring us in to co-source with them, and that happens a lot. But typically it’s in conjunction with their internal teams. We might have a company-wide MSSP relationship … usually they also have some level of information security knowledge within the organization.

Are any industries especial users of MSSP help?

Yes. What we like to describe as the regulated industries: financial services, power and energy, and healthcare. Also industries that understand how to quantify loss—manufacturers, consumer goods, the kinds of organizations where they spend a lot of time trying to measure production and shipping. Because of Sarbanes-Oxley, we’ve [also] seen significant interest across the [whole spectrum of companies]; we haven’t found it’s limited to a niche. To be honest, we’re seeing interest across global types.

What sorts of day-to-day feedback should MSSP customers expect?

On a day-to-day basis what we find is critically important is providing them with a clear understanding of what we’re doing for them … [through] a Web portal, … and we also regularly communicate with customers on a day-in and day-out basis. And when we have members of our staff on site, they interact on a daily basis as well.

How do companies go about integrating outside expertise?

Some customers who are starting out … pick a couple of mission-critical areas, [for] us to help secure. Then we might have other customers looking at a more organization-wide approach. It all depends on budgets, sometimes on regions … or corporate initiatives. What we are seeing is a move into [this being] an executive-level decision with executive-level sponsorship.

So you’re seeing increasing executive-level interest in how security is handled?

Managed security services has moved from a technical discussion up to [being at least a] security-director level [discussion]. It’s typically made at the executive level inside organizations.

Do you advocate this higher level of buy-in and awareness?

The better breadth of coverage you can get across an organization, the better off you are, and the reason is security isn’t typically a part of just one part [of the organization]. What we’re seeing with blended threats, they’re threats [across] the organization, you’re VPN-ing across the organization, you’re connecting with partners … So from our perspective, these are decisions that make sense to make at an executive level, but really … that’s up to customers.


Choosing an MSSP

Symantec's Top Eleven tips for choosing a Managed Security Services Provider:

  1. Longevity: Securing critical data long-term demands a long-term relationship.

  2. Real-time analysis and response: “An MSSP must have the ability to accurately correlate, analyze, and interpret large volumes of network security in real time,” and also readily distinguish false positives.

  3. State-of-the-art facilities: Preferably redundant operations centers too.

  4. Global perspective. Think globally, not just locally.

  5. Sound financials: “For publicly traded companies, Gartner estimates that annual run rates of more than $10 million per year in managed security services contracts indicate a sufficient base of revenue to support growth and enhancement of services.”

  6. Management experience in high-risk industries, such as military, government, or some industrial sectors.

  7. Service breadth: Consider current or future needs for real-time monitoring and management of such products as firewalls, intrusion detection systems, and virtual private networks.

  8. Well-documented processes: What are the (preferably) multiple methods the MSSP will use to communicate an attack alert?

  9. Vendor neutrality: Customers should be able to select best-of-breed security solutions to run at the MSSP.

  10. Auditing: Can the MSSP continue to prove it’s doing what it says it does?

  11. Reporting: “Reports provided by MSSPs should be detailed enough to support decisions to enhance security efforts and to determine the cost-effectiveness of the managed services.” In addition, new regulations, including Sarbanes-Oxley, mean companies must meet “stringent compliance reviews” on a regular basis. MSSPs can assist through security log data analysis.

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.