Companies purchasing MSSP services must not think that doing so absolves them of internal responsibility, however. As a Forrester Research report on the topic notes, it’s important to ensure that the right governance structures and IT processes are in place before outsourcing part of the security environment. “A messy environment will remain a messy environment—outsourcing won’t magically resolve this.… As you build up the relationship, make sure you always retain authority over setting policy and other strategic functions,” it states.
Companies should also ensure that providers meet all the contractual obligations in the service-level agreement. If failures occur, the client company should make sure it is entitled to compensation, such as a service credit from the MSSP.
Companies can learn more about MSSPs from a new report called Defined Categories of Service 2011, which was recently released by the Cloud Security Alliance. A major aim is to provide greater clarity on security-as-a-service offerings.
“Because [such services] take many forms, they have caused market confusion and complicated the selection process,” the report states. The report describes particularly popular security service categories, including SIEM, data loss prevention, and Web security, as well as security assessments, encryption, and business continuity and disaster recovery.
In most cases, customers are satisfied with their relationships with security service providers, says Kavanagh. But some additional due diligence when seeking a provider could help bring even more business benefits.