Although a company will want to control their own security program, most cannot afford to run those elements themselves as it would require a 24x7 security operation center (SOC) such as an SEIM or IDS/IPS, said Asher DeMetz, manager, security consultant at Sungard Availability Services. “It is vital that companies – of a size and risk profile to need these services – have 24x7 monitoring as attacks can come any time of day or night. An attack at 9 p.m. that is not detected till 9 a.m. when employees come into the office can be disastrous.”
Additionally, MSS providers companies with the deep skills and experience needed to know what is a “real attack” and what is a false positive, DeMetz said.
Carl Herberger, vice president of security solutions at Radware, agrees stating that the speed at which the threat landscape is changing, and the fact that SMBs have become an increasingly frequent target of attacks with 43 percent of all cyber-attacks now focused on small businesses, all make in-house security challenging. “For example, a retail ecommerce business might not have the ability to invest in a robust, well-trained security staff to thwart attackers. Managed security services help to bridge the gap and let businesses focus on what’s at their core,” he said.
The sophistication of the information technology environment, types of devices or controls in place, location and type of data centers, breadth of geographic scope/global footprint, cost, skilled resources, and coverage needed during the week/year should be taken into account when deciding to go with a third party, said Viewpost’s CSO Chris Pierson.
“It is critical to note that the people who best know the layout and operations of your company’s data flows are those people who created the architecture (either network or security) and understand the business processes and product. This ownership is really best achieved by having at least a central core team within the company,” he said.
Having managed security be a part of specialized devices that focus on Indicators of Compromise or behavioral forensics is a smart fiscal and operations move, Pierson added.
Kennet Westby, president and co-founder of Coalfire, said outsourcing is happening in other facets of technology such as hosting, cloud services and application service providers. “It really is more about understanding the scope of network security you look to third parties for. Your organization’s most valuable assets may no longer reside behind your corporate firewall with a network managed by your employees.”
He added that making a decision to handle corporate network security in-house or to leverage third parties should be based on a number of important criteria:
- Competency/cost – Like most functions in an organization a review of whether a service can be delivered at a higher competency level at a lower cost than can be done internally.
- Organizational compatibility - Ensures that you have a partner that will work alongside your IT, security and management teams, and not just deliver vendor services behind an opaque wall of “security services.”
- Trust – This is a critical element of any third party handling sensitive functions but critical for a MSSP. You need to ensure a program for security controls is operating at even higher standards than your internal controls require. You may need to trust their employees more than your own.
Sign up for CIO Asia eNewsletters.