What are industry averages for startup cost and monthly maintenance of managed security services (managed firewall,...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
managed IPS and managed URL filtering)?
Unfortunately, the variety and scale of managed service offerings are so broad that it's impossible to give one figure as an industry average. A bank, for example, that is considering outsourcing security would be looking at a completely different level and scale of service to, say, a small e-commerce enterprise. And, some organizations may want to manage some of their security systems and will not need certain services provided by the outsourced security organization.
Regardless of specific level of service required, there are some key issues to consider when examining managed security arrangements. The most important aspect of choosing a managed security service provider (MSSP) is to understand the services they offer and how they well the meet your organization's security policy requirements. You must first develop your organization's risk assessment and security policy, before you can select a suitable MSSP.
The service-level agreement with an MSSP should specify coverage and protection levels, response times, and reports, but also outline the repercussions for poor performance or losses related to security failures. Since you're entrusting some of your most precious data to a third party, it's important to sign non-disclosure and confidentiality agreements to ensure data protection and safekeeping. It's also important to understand how your own confidential or sensitive information will be handled, given that the provider will probably be sharing resources and services with its other customers. You must, of course, review any references or third-party reports and evaluations of your MSSP, and check the provider's financial status.
MSSPs have different styles, and the styles often vary depending on how an MSSP has arrived in the business. Some are traditional ISPs or telecommunications companies offering security services as an additional service to their core businesses. Even some of the big consulting firms offer managed security services. With that in mind, below is a list of services you can expect from a decent MSSP:
- Content filtering, antivirus and spyware/adware protection;
- Network boundary protection, including firewalls, intrusion detection/prevention;
- VPNs for secure remote access;
- Penetration testing and vulnerability assessment;
- Assessments of security risks or threats;
- Security monitoring and reporting services;
- Data backup and restoration as needed;
- Installation, patch management and maintenance services;
- Incident management, including emergency response and post-incident analysis and reports.
It is important to weigh the cost of a security breach against the cost of any service you're considering, and in most cases, small to medium-sized organizations will see the most benefit from outsourcing. Resilient network security requires round-the-clock staffing, so outsourcing saves an organization from having to develop the necessary capabilities in-house. For more information on outsourcing, download this Outsourcing Managed Security Services guide from the CERT Coordination Center.
Dig Deeper on Enterprise Risk Management: Metrics and Assessments
Related Q&A from Michael Cobb
A malicious app called Black Jack Free was able to bypass Google Play's app store security. Expert Michael Cobb explains the threat and how ...continue reading
SandJacking, a new iOS attack technique, uses an XCode certificate flaw to load malicious apps onto devices. Expert Michael Cobb explains how the ...continue reading
Oracle has moved from using a modified version of CVSS v2.0 to CVSS v3.0. Expert Michael Cobb explains criticism of the old version, and the changes ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.