The good, the bad and the ugly of managed security services
The good, the bad and the ugly of managed security services

One of the biggest trends in IT security is the growth of managed security service providers (MSSP's). The switch is understandable due to a widely acknowledged shortage of security professional's which makes recruitment and retention a major challenge along with the increasingly complex IT landscape that requires continual training to stay relevant. 

However, even as a company that offers managed security services, it is fair to say that there is not a magic bullet that makes every problem go away. The truth is a bit more nuanced. Many solutions providers, often from a non-security background have jumped wholeheartedly into the resale of managed security services – often with claims that it will solve all of a client's ills. Although managed security offers many benefits, it is not without its limitation and distinct trade-offs.

The good

The two biggest benefits offered by a managed security service are arguably the ability to gain access to expertise only when you need it and – crucially – only paying for what you need. Looking at the broad stretch of security and related compliance issues that face business, it is rare to find a single individual that understands network, application and device security plus the best practice and regulatory compliance issues. Then there are specialist skills like penetration testing which organisations should run on a regularly basis. 

Especially for mid-sized organisations, hiring a quartet of experienced security staff can be ruinously expensive. More so when most of the day-to-day security admin tasks such as responding to alerts and updating rules and policies are not that taxing. Managed security services lets organisations skill up when needed and the scale back in normal times. For example, a major OS upgrade or network expansion could do with a security expert on hand around planning, implementing and testing. However, unlike a sole contractor – a managed service agreement provides a longer term supportive relationship, and crucially additional experts from different disciplines, that can overcome staffing or knowledge deficits while retaining a deeper understanding of the client landscape.

The bad

All the benefits around scale, flexibility and cost should be tempered by a diminishing of internal capability.  Although not always the case, a fully outsourced security position can leave organisations a bit at the mercy of the service provider. It also becomes hard to gauge the MSSP's actual level of competence.  For example, is the provider maintaining the skill set of its InfoSec teams so that they are able to spot and deal with threats? Is the advice around which technologies to use clouded by self-interest – for example, is there a higher margin from certain products than others? And because the internal IT manager has not been given enough training in information security, it is hard to spot when a service provider is all smoke and mirrors and very little substance.  Unlike other professional services like accountants or solicitors, there is no governing body so actually validating if an MSSP is good, bad or just plain ugly requires IT managers with at least a modicum of InfoSec savvy.

The ugly

The ugliest side is the easily made assumption that signing a managed security contract means that your organisations won't get hacked and that the responsibility for IT security is now somebody else's bag. Both ideas are wrong. Managed services may reduce risk but they don't remove it. In addition, even with a fully outsourced service, a security breach and subsequently incurred damage or lost is generally not the responsibility of the managed service provider – unless the contract has very specific clauses or negligence can be proven - both very unlikely scenarios.

There are a lot of VARs pilling into managed security services and they are not all the same and there is no benchmark to test how good a service really is building a secure environment and managing incidents.  Many of the newer firms are simply buying and reselling off-the-shelf security solutions with little regard around the ongoing processes and procedures that are vital alongside a technical deployment. 

A final word

The secret to getting the right managed security service is often a case of give, take and compromise. Completely stopping any form of internal InfoSec training is generally an unwise position as it hollows out the fundamental InfoSec management skills that are essential for overseeing a managed service provider. In addition, it is always wise to speak to more than just one MSSP when considering an engagement  but look at heritage and customer references and not just on a like-for-like product offering basis. And finally, if you do take a service; don't forget to still run regular penetration tests from a third party to make sure that the service is really delivering against the promise.

Contributed by David Hood, managing director, ANSecurity

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.