Five Frequently Asked Questions About Managed Security Services

The managed security service business is booming; it produced $900 million revenue in 2001 and $1.5 billion in 2002. The Yankee Group forecasts the market will grow to $2.6 billion by 2005. This research note underscores the ingredients in a successful engagement.

Question
Should I select the same service provider to manage both IT services and security services?

Answer
The Yankee Group recommends a separate vendor for security services to avoid conflicts of interest between security and customer service. Administrators trying to serve the customer can view security processes as a hindrance to their ability to deliver the service within the agreed timeframe. To ensure that your security policies are being enforced, you should separate the security duties and employ dedicated staff. Leading service providers such as EDS, AT&T, and IBM offer both security and other infrastructure services. Dedicated security leaders include Internet Security Systems (ISS), Symantec, Redsiren, NetSec, TruSecure, AMS, Equant, Guardent, Verisign, and Solutionary.

Question
What process should I follow when implementing a managed security service?

Answer
Your corporate security policies are the best place to start. The roles and responsibilities defined in this policy can be divided between outsourced and in-house security staff. Identify those assets in the scope of the service and negotiate a service level agreement to manage these assets. This groundwork forms the foundation of your managed services contract and ensures that both parties have clear expectations. Lastly, it is critical to ensure adequate staffing before, during, and after the transition to a managed service. The difficulty in demonstrating return on investment (ROI) for security and a shortage of skilled staff has led to chronic understaffing within internal security teams. Do not assume that your managed service provider has staff to fulfill the contract. Ask for staffing approval and play an active role to ensure staffing is adequate.

Question
How do managed security services affect corporate security risks?

Answer
If you’ve moved to the managed services model, you have reduced the risks in the scope of your managed service agreement. However, you—not the provider—are responsible for the consequences of a security breach, outage, information theft, or fraud. Trust your provider to enforce your corporate policies, but periodically verify that they do this effectively. Regular reassessment of overall corporate security risks and controls is vital and it will help you understand how to get the most from the services you have chosen. Managed security services increase some risks. For example, a service provider will ask for privileged remote access. If the risk analysis demonstrates that you still have significant risks, we recommend additional controls to verify the effectiveness of the managed service. Consider an independent service provider or emerging e-insurance policies.

Question
What are the pitfalls of managed security services?

Answer
Pay close attention to charges for services not covered in your contract and consider itemizing these in your IT budget. Regularity and frequency of out of service charges are an indication that you need to renegotiate your contract. Be prepared for a slower new hardware and software purchase processes. Make sure your provider sets the right priority on your projects. Allow enough lead-time to obtain resources from disparate organizations. Communication between you and your service provider are treated as client contact and are carefully controlled to avoid over committing. Delays create temptation for some managers to purchase their own hardware or software. The result is hidden IT costs and information assets that are not physically secured or patched to the same level as other servers on the network. Identifying and reining in rogue business units and information assets is important to any security program. However, in a managed service model, this issue warrants more attention.

Question
What problems are best addressed by managed security services?

Answer
Organizations unable to retain skilled security staff can focus on their core business by outsourcing core security services such as perimeter security assurance (including firewall, IDS, penetration testing, and secure Web or e-commerce services), virus scanning, and content inspection. These are mature service offerings so the staff and equipment ROI is easy to demonstrate. Services that are promising but less mature include secure remote access (IP VPNs), remote end-point or host security, secure messaging, managed authentication, and vulnerability management. ROI is more difficult to demonstrate partly due to the possibility of hidden charges for services not in the contract. E-risk management, security event management, identity management, and incident response services address unique business needs, so these areas are more difficult to outsource. The Yankee Group sees the costly and pervasive issue of identity management a good opportunity for managed services.

The Yankee Group originally published this article on 24 September 2003.