Smaller businesses will often turn to MSSPs to look after their data, but how do they choose the right one? By Jessica Twentyman.

How many IT security professionals does it take to ensure that a company's core IT systems and network stay safe from hackers and malware? The answer is five, according to Bruce Schneier, chief security technology officer at BT – but only if those five people all work on a full-time basis, arranging their shifts so that those systems and networks are monitored 24 hours a day, 365 days a year.

Add to the costs of recruiting and training those staff, the need to equip them with the latest security technologies to adequately monitor and mitigate threats, and it's no wonder that business leaders at small and medium-sized enterprises (SMEs) are often overwhelmed by the resources they are expected to devote to IT security.

Few, however, can be in any doubt that the expectation is there: among the customers whose data resides in the company's systems; among the larger companies it partners; and among a host of regulators and law-makers who expect to see certain standards in information security upheld.

For some SMEs, that pressure creates panic-stricken inertia. For others, it's a clear indication that they need to seek the expert advice and help of a specialist third party that can take those problems out of their hands. “SMEs will often outsource IT in general, so it is no surprise that they should outsource IT security in particular. However, there are a number of characteristics specific to IT security – notably that it requires certain expertise that is far less likely to be available in-house than general IT skills. Also, security requires a timeliness of response that can be difficult to provide in-house,” explains Jon Collins, who is the managing director of IT market research company Freeform Dynamics.

In recent years, that impetus has led to a thriving managed security service provider (MSSP) market. Research conducted by Gartner estimates the worldwide market for managed security services reached sales of over $165 million in 2007, set to grow to $596 million in 2014.

More importantly, it's a relatively buoyant market, at a time when IT spending is generally down, and unsurprisingly, it is one that has attracted a flood of new entrants in recent years.

That has led to a wide range of options, often of varying quality. Most security software companies have either built or acquired a managed services arm in recent years, while a host of security-as-a-service suppliers have built their entire businesses on the back of the managed security proposition. ISPs often have a long track record in providing corporate customers with managed perimeter services. And some security technology vendors specifically target their products at value added resellers and consultants that want to get a foothold in the lucrative MSSP business. The website of security technology company Secure Resolutions, for example, claims its technology is “the perfect platform on which MSSPs can build and sustain a profitable security services business without investing in an expensive back-end infrastructure or technical staff”.

All this means that, for many SMEs, the process of choosing an MSSP can be a fraught process. In each of these categories, some providers are qualified, competent and equipped to host and run security systems on their behalf, others are not.

“We recently looked at an MSSP that was very confidently explaining how ISPs can't do security,” says Aydin Kurt-Elli, CEO of hosting company Lumison. “When I drilled down into what that company did, I found it was no more sophisticated than us – firewalls, virtual private networks and so on. But worse than that, there was no proactive monitoring, management, firmware, updates and so on and certainly no centralised network operations centre or systems management across its client base, and no 24/7 capability,” he says.

Lumison offers all these, he adds, and has the necessary skills in-house to tackle sophisticated distributed denial-of-service (DDoS) attacks on behalf of customers, a promise that was recently put into practice when a major media client fell victim to such an attack.

So how should prospective SME customers for managed security services navigate the complex supplier selection process? First, they'll need a thorough audit of their existing IT assets and an assessment of the internal and external risks to which they are exposed. “This should also take into account the regulatory environment that SME works in and its general appetite for risk, which is pretty individual from company to company,” says Jason Humphreys, director of managed security services and development at Integralis. Many MSSPs provide such services as part of the planning stage of the engagement, he adds.

Then it's a case of defining and installing the security capabilities required to support that environment – that's a job for the MSSP itself, of course, but the customer will need to select the services it requires from a menu of choices. That menu will commonly include firewall management, anti-virus management, intrusion detection and prevention, content filtering, virtual private networks and workstation, server and network device configuration and management.

Most customers choose to start small when it comes to engaging an MSSP, says Richard Lewis, chief operations officer at security solutions provider, Dns. “In our experience, the relationship is initially based on one requirement that typically focuses on the perimeter, and then grows from there, often as the customer becomes more informed about security issues in general and threats to their business in particular,” he says.

The popularity of managed firewall services seems to be the case worldwide: Gartner estimates that, in 2008, 60 per cent of Fortune 500 enterprises had engaged in some level of use of an MSSP, representing about 25 per cent of enterprise firewalls under remote monitoring or management.

That's not surprising, because managing firewalls can be a time consuming and tedious process. And given that daily administration requires a fair amount of training and domain knowledge, it's a task that many SMEs will want to hand to third party professionals. In addition, Requirement 1.1 of the Payment Card Industry Data Security Standard (PCI DSS) stresses the need for compliant organisations to “install and maintain a firewall configuration to protect cardholder data”.

But Gartner's Kelly Kavanagh has a word of warning for small and medium sized businesses (SMBs): “MSS providers generally offer monitoring and management for SMB multifunction firewalls that encompass firewall, intrusion protection, email anti-virus and URL filtering capabilities in one device. These services typically target SMB enterprises and offer minimal security analyst interaction and limited configuration changes and reporting.”

SMEs exploring outsourcing monitoring and management of multifunction devices, he says, should assess the ability of MSSPs to deploy devices with standard configurations that address the vertical industry or compliance requirements to which they are subject, as well as update those configurations as part of the standard service offering, based on changes in those requirements.

Even where just one basic function is handed to an MSSP, the onus is on the customer to ensure that it's happy that the MSSP is living up to its promises in terms of service levels. How quickly does the MSSP respond to security incidents? Are staff prompt at applying security patches and performing software upgrades, when required? What administrative access rights are given to MSSP staff and the customer's employees – and do the personnel controls (such as criminal records and credit checks) applied by each organisation match up?

Penetration testing is a useful indicator of how the MSSP is performing on the customer's behalf – but is a task that should be handed to an independent third party, says Ben Rexworthy, managing director of MSSP, Securinet. “Customers often ask us to do this, but we do so only as a precursor to providing our managed security services – it would be unethical and a conflict of interests to vet ourselves once we have provided a solution.” At that stage in the relationship, he adds, Securinet will point them in the direction of reputable specialists to perform the tests.

Only once an SME is satisfied that service levels are being met should its bosses start to think about handing over further security services to that MSSP. And cost-conscious SMEs should be looking for a provider that can offer granular, menu-driven pricing that they can change on a month-by-month basis to suit their evolving needs, says Rexworthy.

“For a company of 25 people, I might recommend they use firewall, content filtering, anti-virus and anti-spam services – but the costs associated with each service will be clearly broken down on a per user, per month basis. For example, for anti-virus services, we charge £2 per user, per month. Add three new staff members, and your bill goes up by £6 per month. There's no question of a customer having to buy our services in batches of, say, 25 users, which some providers insist upon,” he says.

In the end, the whole debate comes back to cost – not just the costs associated with security services, but the potential costs of not using an MSSP, in terms of the likely drain on an SME's precious time and resources.

Computer security, according to Schneier at BT, is “complex, important and distasteful”. Its distastefulness, he says, comes from “the difficulty, the drudgery and the 3am alarms”. Its complexity comes out of the intricacies of modern networks, the rate at which threats change and attacks improve, and the ever evolving presence of network services. And its importance comes from this fact of business today, he concludes: companies have no choice but to open their networks to the internet, whatever their size.

An independent third party may be the only way for SMEs to get adequate security for their systems and networks – but they should choose that third party with care.

Case study: ESco Business Services

For most of the first 20 years of its existence, ESco Business Services was based in a barn conversion at the managing director's home in Finchingfield, Essex – a common scenario for many small and medium sized enterprises (SMEs).

In 2006, when the company, which provides mailing, database and payment processing services to clients in the publishing industry, relocated to purpose-built offices two miles away, the realisation struck that the move from a residential environment to a corporate one would demand a more concerted approach to IT security.

“It was time to get serious,” recalls ESco technical director Lee Turbard. “We needed to think about data security and how we were going to tackle it, to our satisfaction and that of our customers. At that point, our perception of IT security was based on self-preservation: what could we be attacked by? Were we vulnerable to viruses?” In response, it spoke to three MSSPs before settling on Securinet to provide ESco with managed firewall and anti-virus services.

Since then, the relationship has matured – as has ESco's awareness of security issues. “Once we got started working with Securinet, it really opened our eyes to the world of IT security. I saw it's more than just technology, it's an approach. That got us thinking about other security issues.”

For example, Turbard and his team started thinking not only in terms of how data might be compromised, but also how it could be lost or stolen. It turned again to Securinet, which installed a secure VPN to the managing director's home. Around the same time, ESco also started using web content filtering and monitoring services in order to have better control over how employees were using the internet.

Today, Securinet also provides ESco's 50-strong workforce with managed email services, including spam filtering, and handles regular back-ups of its data to a secure offsite location.

That enables Turbard and his team of four IT staff to focus on other issues. “My team would be perfectly capable of handling IT security issues if we could provide them with the necessary training – but realistically, that's just not going to happen. The team is too busy working on day-to-day IT management jobs that directly create revenue for the business,” he says.

Using an MSSP also enables ESco to adapt to changing customer demands. Turbard and his team are working with Securinet to install a terminal services server, so customers can gain authorised access to ESco's back office systems. “After three years of focusing on battening down the hatches so data is secure, we're now opening up the hatches again – but only in a way that's entirely safe for us and our customers,” he says.

Selecting an MSSP: Questions to ask

According to Infonetics Research's ‘World User Plans for Security Products and Services' study, there are five top provider selection criteria for organisations choosing managed security services. These are listed below, along with questions that SMEs might wish to direct at any managed security services provider (MSSP) hoping to win their business:

1. Security expertise and reputation
What customers do you currently manage in my industry? Can I speak to them? How long have your oldest customers been with you? What do independent industry analysts say about your services? What's your approach to security intelligence – how do you monitor and analyse emerging vulnerabilities and threats?

2. Compatibility with existing equipment
Are you able to manage the technologies we have in place or may be planning to implement? What platforms are your staff certified to manage? Do the security technologies and approaches that your staff favour, fit with our IT environment?

3. Service and support
What are your policies and average adherence rates for service level agreements (SLAs)? What are the hours of your security operations centre and are you sufficiently staffed to manage my network? What can you (and your customers) tell us about your recent responses to security incidents – were well defined policies, procedures and time periods adhered to? Will you provide us with reports on the status of our systems and network and how regularly will we see them? What are your own disaster recovery plans in the event of an emergency at your security operations centre(s)?

4. Financial stability
What evidence can you provide that your firm has the financial resources to continue investing in improving your service offerings and capabilities? What resources are you able to devote to attracting the most experienced, qualified IT security professionals capable of developing sophisticated protection strategies to your workforce?

5. Range of security services
What other security services do you offer? Will you be able to meet our needs as they evolve? What can you tell us about your track record for innovation and developing fresh services?