Before organizations contract with managed security services providers, they should clarify their needs and expectations.
Organizations are increasingly looking to take advantage of managed security services. The services can offer significant benefits, including low-cost security, technical expertise, and help with compliance. But it isn’t always clear that organizations understand what managed security services providers (MSSPs) offer.
MSSPs tend to provide services related to e-mail security, firewall rules, Web scanning, and intrusion prevention and detection system configurations. What is offered can vary greatly, and companies need to ask questions before committing to a service agreement.
One of the most important considerations is how well the provider meets the customer’s needs and expectations in areas such as interactivity and providing threat context and mitigation support. Sometimes customers want a provider’s involvement, says Kelly Kavanagh, Gartner principal analyst. Other customers prefer a more relaxed relationship, with providers monitoring technology and passing on important alerts but without excessive interaction.
A growing area for the MSSP market is related to security information and event management (SIEM). Using an MSSP with SIEM tools can be an excellent way to detect and uncover increasingly sophisticated threats.
Gartner expects the MSSP market to grow at about 14 percent per year for the next several years. Among the market drivers are firms’ growing interest in reducing IT costs and gaining help in meeting increasingly complex regulatory compliance requirements.
Companies purchasing MSSP services must not think that doing so absolves them of internal responsibility, however. As a Forrester Research report on the topic notes, it’s important to ensure that the right governance structures and IT processes are in place before outsourcing part of the security environment. “A messy environment will remain a messy environment—outsourcing won’t magically resolve this.… As you build up the relationship, make sure you always retain authority over setting policy and other strategic functions,” it states.
Companies should also ensure that providers meet all the contractual obligations in the service-level agreement. If failures occur, the client company should make sure it is entitled to compensation, such as a service credit from the MSSP.
Companies can learn more about MSSPs from a new report called Defined Categories of Service 2011, which was recently released by the Cloud Security Alliance. A major aim is to provide greater clarity on security-as-a-service offerings.
“Because [such services] take many forms, they have caused market confusion and complicated the selection process,” the report states. The report describes particularly popular security service categories, including SIEM, data loss prevention, and Web security, as well as security assessments, encryption, and business continuity and disaster recovery.
In most cases, customers are satisfied with their relationships with security service providers, says Kavanagh. But some additional due diligence when seeking a provider could help bring even more business benefits.