This article can also be found in the Premium Editorial Download "Information Security magazine: 12 security lessons for CISOs they don't teach you in security school."
Download it now to read this article plus other related content.
Regulatory and cost-cutting pressures are forcing enterprises to reexamine the value of managed security services.
"We needed help," Tom Giangreco says about his decision to contract a managed security service provider (MSSP).
|The Growing MSSP Market|
"We have a lot of security drivers," continues Giangreco, the information security officer at Orange County Teachers Federal Credit Union in California. "There are federal regulations, and we have state of California regulations. Beyond that, we have developed our own policies with our own internal auditing group that is pretty intent on keeping us secure."
For most enterprises, outsourcing security was once a last resort, mostly because it required handing an outside party the keys to the digital kingdom. The instability of the managed services space a few years ago didn't help instill trust and confidence among enterprise consumers.
But things have changed (see "The Growing MSSP Market"). Security managers, like Giangreco, are now faced with increasing risk and compliance pressures.
Mounting regulations, such as Sarbanes-Oxley, GLBA and the California Security Breach Information Act (SB 1386) are forcing enterprises to invest in security to ensure data integrity. At the same time, enterprises are constantly looking for ways to contain costs.
"Part of what makes it a business decision is that businesses now are facing all of these regulations," says Yankee Group analyst Jonathan Ayal Singer. "There are all these things that businesses have to comply with legally, so this is no longer a matter just for the IT people. Everyone in the organization now has to understand IT's role in keeping data secure."
MSSPs, in their various incarnations, provide enterprises with a means of improving security with expert teams and systems, reducing costs, and demonstrating due diligence to auditors and regulators.
Are managed security services a silver bullet? Certainly not, but they do offer an attractive value proposition. However, contracting an MSSP isn't that simple. Enterprises need to evaluate their needs and understand that employing an MSSP isn't outsourcing, but rather a partnership in security with a trusted outsider.
This was first published in February 2005