Other developments that push companies toward outsourcing security include the increase in the number of malicious hackers and the proliferation of products designed for enterprise security, according to Garret Bekker, a senior security analyst at 451 Research. Both trends make security difficult to manage for smaller organizations, he says.
“The inevitable conclusion is companies increasingly have to rely on security handled by an MSSP because they can’t keep up — they just don’t have the bandwidth,” says Bekker, who maintains that time saved is the primary benefit of outsourcing, far higher than cost savings on the list of advantages.
Outsourcing: Not an either-or proposition
Brendan O’Malley, a serial CIO at midsize organizations and now a consultant, says the outsourced or managed services model works because there is often no one other than the CIO dedicated to security, which opens a company up to risk. “Security ends up being sliced up and doled out to 10 percent of several people’s jobs, but because no one beyond the CIO is responsible, it’s very tough to make progress or to stay on top of it the way you have to,” he explains. “You absolutely need to have some kind of outside support.”
For Blackhawk Community Credit Union, getting a helping hand from outside providers, including an MSSP, not only helps offload some security work, it also means the organization has 24/7, 365-days-a-year coverage from a highly trained set of eyes. Richard Borden, Blackhawk’s vice president of IT, says his eight-person staff wouldn’t be able to provide that kind of service, because they have to handle all types of IT issues, security included, for more than 150 users.
Instead of offloading everything to an MSSP, however, the credit union takes a three-pronged approach, doing security strategy and policy planning on its own, enlisting consultants to perform specialized functions, such as periodic firewall reviews, and leaning on its MSSP — in this case, Dell SecureWorks — for meat-and-potatoes functions like managing the firewall and the intrusion-protection system, Borden says.
“They can see global trends across all the clients and feeds they get, which gives me added confidence, so I don’t stay up at night worrying about the network,” he says. “If these folks see something spikey, they will get in touch with me.”
MSSPs have lots of visibility across clients and can make that relevant for each, but what they don’t understand are the unique things in your organization.— Jeff Pollard
The alert process is where outsourcing can get tricky for smaller shops, and the potential complications could undermine the value of using an MSSP. While outsourcing log monitoring and firewall management to a third party will provide a window into possible problems, outsourcers may have difficulty discerning between real security problems and noise because they lack insight into the inner workings of an organization and its typical user behaviors, says Jeff Pollard, an analyst at Forrester Research.
Sign up for CIO Asia eNewsletters.