A group of academia contends that typical service level agreements (SLAs) for managed security services — which state the provider has to compensate the client for security lapses — may deter providers from reporting security breaches, a claim that managed security services providers (MSSPs) have rejected.
Titled "Outsourcing Information Security: Contracting Issues and Security Implications", the research paper (PDF) was presented at the Workshop on the Economics of Information Security (WEIS) 2010 earlier this month. Using mathematical analysis, the authors concluded that under the traditional model, MSSPs face the challenge of performing both prevention and detection efforts equally well, with no incentive to reveal lapses.
The trio proposed two alternative models that they believe would rectify the situation. The first was to penalise the MSSP if the customer is the one that uncovers the breach, but reward the provider if it detects the breach first. Another model is for the client to adopt a 2-MSSP approach, where one is responsible for providing the security services and another dedicated to monitoring and breach detection.
Asunur Cezar, lead author and professor at the Middle East Technical University said in an email interview that there is a lot of growth potential for the managed security services market and as the industry evolves, he expects users of such services to employ the contract models recommended in the paper.
More than dollars and cents
ZDNet Australia's sister site ZDNet Asia contacted MSSPs, which point to some faults in the premise and proposed models in the research paper.
Benjamin Mah, general manager of e-Cop Singapore, highlighted trust as an important factor in contracting managed security services providers. "If you trust someone, it's more than just a dollars-and-cents conversation — it's about the promise made that needs to be honoured," he said in an email.
Lim Kay Heng, director of IT security at BT Frontline noted in an email that reputable MSSPs know better than to avoid reporting a breach simply because there is no incentive to do so, as the survival of their business is "ultimately built on the trusting relationships" established over the years with various customers.
Should the act be discovered, the damage to the MSSP's brand will be "too high", he pointed out.
"Customers engage an MSSP on the basis that the customers do not have the necessary in-house expertise and the depth and breadth of security knowledge to handle constantly changing security threats," said Lim. "Hence, the customers will choose an MSSP that they believe to have the necessary capabilities to manage the security threats for them.
"The least of their concerns [should] be the MSSP hiding a security breach from them."
According to Lim, the proposed model of rewarding the provider if it is the party reporting the breach "is like putting a fixed price on the trust" and brand of the MSSP.
"This model of incentivising MSSPs to report data breaches will have minimal impact on a reputable MSSP," he said. "In Asia, where businesses are built on relationship and trust, this model will be even less effective."
2-MSSP model not cost-effective
The second model to separate the prevention and detection functions, said Lim, can be effective if real-time breach detection is applied. Customers that opt for this approach will need to clearly define roles and responsibilities between the two MSSPs, and be prepared for additional equipment to be added to their environment.
Cost, however, will be a deterrent.
"In Asia, where one of the key reasons for outsourcing managed and monitoring services to MSSPs is cost reduction in the long run, it will be a challenge to convince customers of this 2-MSSP model," Lim pointed out.
e-Cop's Mah added: "Customers are looking for a single trusted security specialist to augment their current team and not having two or more security teams to manage in a game of Warcraft. It's business that needs to be protected and not [which] is the next better security service idol."
Responsibilities, liabilities cannot be fully outsourced
James Loo, chief information officer of logistics and supply chain management company YCH group, shared in an email that the company's subsidiary Y3Technologies, of which he is the chief operation officer, "already reports all security breaches and rectifies whenever needed for the group with or without incentives or penalties".
Businesses in the supply chain management industry, he noted, cannot leave security fully to an outsourced party "but have to bear some responsibilities and have some control". They must also not put in security measures for security's sake but to assure customers their inventory and products are safe in their care.
"There will be no end to policing and ... you can't really benefit from rewarding a 'thief' to try to break into your house everyday to test the security," he said. "Choose whatever model that suits your own security objectives and spend and implement your strategy appropriate for the business."
Cathy Huang, industry analyst at Frost & Sullivan, added that it is "impossible for MSSPs to take on complete liability" in the outsourcing of security services. To get around this, the industry needs to "find a consensus through a shared risk and reward system", she said.
Via ZDNet Asia