Handing over control
Weighing it up
Nintendo plays the security game
Queensland company saves with security
But when should companies consider coughing up the bucks and moving on to managed security? Frost & Sullivan's Turner says: "A business should consider moving to a managed security service provider when they estimate that the risk of loss outweighs the cost of the service, and the cost of maintaining the in-house skills needed to manage it."
"If your business is in any way reliant on connection to the Internet 24x7, then ideally you either have 24x7 security staff or an MSSP. The MSSP can provide good network security muchmore cheaply than most companies can provide it themselves because they are the specialists and they have economies-of-scale which make it more affordable," he adds.
General acceptance of managed security may be growing, but reputations of unreliable providers still, to some degree, hold the service back.
Industry cowboys still exist -- there are numerous horror stories of people signing up with an unreliable provider only to find out months down the track monitoring has not been maintained at its promised levels, or that small start-ups are facing insolvency rendering all contracts at risk and costing companies dearly.
Andrew Tune, director of MSSP Network Box, says credible providers are still fighting a negative perception, largely as a result of negative customer experiences.
He says he has spoken with some customers who have disabled their connection to their provider, only to find out the provider was not even aware they had done so.
"This one customer called their provider to tell them they had taken out their security box. The provider said no they hadn't, it was still being monitored. They did not even realise they were no longer monitoring their client's security," Tune says.
He says this is not an isolated incident and companies should beware, when choosing a provider, that they are getting the service they are paying for. Negative incidents have somewhat tarnished the image of the service, but with the right provider, companies should not have reason to be concerned, he says.
"Companies are concerned about loss of control -- but that is really an emotive thing now. You also find IT staff concerned that we are coming in to take over their job, but that is not the case," Tune says.
"We are coming in to make them look like heroes -- so they can say 'here, look what we have employed and look at what it has saved the company, and look how quickly we have had all this implemented'." Sydney-based Pure Hacking has penetrated the walls of a number of large financial institutions. They say in their testing they have come across both the good and the bad in managed security. Their take on choosing a provider is to find one that can fit all of your direct requirements, and, even better, that specialises in all these areas.
"It is a very specific job," Pure Hacking director Rob McAdam says. "You have to work with people who are really focused on security only. My motto is 'if you believe you require a square peg then you must put a square peg in place'."