One of the biggest trends in IT security is the growth of managed security service providers (MSSP's). The switch is understandable due to a widely acknowledged shortage of security professional's which makes recruitment and retention a major challenge along with the increasingly complex IT landscape that requires continual training to stay relevant.
Especially for mid-sized organisations, hiring a quartet of experienced security staff can be ruinously expensive. More so when most of the day-to-day security admin tasks such as responding to alerts and updating rules and policies are not that taxing. Managed security services lets organisations skill up when needed and the scale back in normal times. For example, a major OS upgrade or network expansion could do with a security expert on hand around planning, implementing and testing. However, unlike a sole contractor – a managed service agreement provides a longer term supportive relationship, and crucially additional experts from different disciplines, that can overcome staffing or knowledge deficits while retaining a deeper understanding of the client landscape.
All the benefits around scale, flexibility and cost should be tempered by a diminishing of internal capability. Although not always the case, a fully outsourced security position can leave organisations a bit at the mercy of the service provider. It also becomes hard to gauge the MSSP's actual level of competence. For example, is the provider maintaining the skill set of its InfoSec teams so that they are able to spot and deal with threats? Is the advice around which technologies to use clouded by self-interest – for example, is there a higher margin from certain products than others? And because the internal IT manager has not been given enough training in information security, it is hard to spot when a service provider is all smoke and mirrors and very little substance. Unlike other professional services like accountants or solicitors, there is no governing body so actually validating if an MSSP is good, bad or just plain ugly requires IT managers with at least a modicum of InfoSec savvy.
The ugliest side is the easily made assumption that signing a managed security contract means that your organisations won't get hacked and that the responsibility for IT security is now somebody else's bag. Both ideas are wrong. Managed services may reduce risk but they don't remove it. In addition, even with a fully outsourced service, a security breach and subsequently incurred damage or lost is generally not the responsibility of the managed service provider – unless the contract has very specific clauses or negligence can be proven - both very unlikely scenarios.
A final word
Contributed by David Hood, managing director, ANSecurity.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.