|
Stability and Size Matters
After the Y2K crisis, MSSPs were heralded as the solution for enterprise security. Businesses could simply offload their security burden to trusted third parties, which would provide 24/7 network and data protection.
The nascent market got a couple of black eyes quickly because large enterprises--particularly Fortune 500s--were reluctant to turn over their security to service providers. Then, the spectacular implosion of pioneer MSSPs Pilot Networks and The Salinas Group further shook enterprises' confidence in managed services.
However, a series of acquisitions, consolidations and bankruptcies has weeded out the bad seeds and strengthened the offerings in the security services arena. Symantec bought pioneer Riptech in 2002 and Brightmail last year, and VeriSign acquired Guardent. Most recently, Ubizen, TruSecure and Betrusted have come together to form Cybertrust. These moves have created an air of stability in the services industry, which remains critical to security managers.
Adding to the new stability and confidence in the services space is the longevity of such MSSPs as Internet Security Systems and the security services offered by telecom and IT stalwarts such as MCI, AT&T, Sprint, Computer Sciences Corp. and IBM.
"We wanted a vendor that could best help," says VeriSign customer Charles R. Hudson, assistant VP and information security manager for Wilmington Trust in Delaware. "I would be very leery to go with a smaller or brand-new company that has no history."
A number of smaller MSSPs continue to gain market traction, including Solutionary, LURHQ and RedSiren. They're benefiting from the notion that MSSPs can augment security and regulatory compliance. Still, enterprises remain cautious about contracting smaller service providers. Guardent sold to VeriSign because it was convinced that it didn't have the global infrastructure to compete for larger contracts.
Ken Pfeil knew he needed extra sec...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
urity for his financial services firm's expanding use of the Internet for business transactions.
"All of our data and services are provided over the Internet," says Pfeil, CSO at Capital IQ in New York. "We have interoperable partners and intranets, and then we have the day-to-day use of the Internet to analyze or ship data. Every time that data touches the Internet, it takes on an added dimension of vulnerability."
But before signing a single-year device management and monitoring contract with RedSiren, Pfeil did extensive research to ensure he would get the level of service he required, and that RedSiren was financially stable enough that it wouldn't suddenly go out of business.
"We felt that if anything was going to happen, it would happen during that first year," Pfeil says.
Not Outsourcing, But Partnering
MSSPs aren't a contract-and-forget option, and security services aren't about outsourcing. They are meant to build partnerships with security experts that augment an enterprise's security capabilities and work with internal teams on security challenges and incidents.
Jack Mundie has built a close working relationship with LURHQ to secure the networks of Gannett, the media giant that publishes USA Today and owns numerous other newspapers and television stations. LURHQ provides monitoring and reporting, but Mundie's team retains all operational change control and incident response.
"They understand what we are trying to do, and they will always try to fulfill that need," says Mundie, Gannett's director of operations and infrastructure services.
Few enterprises will turn over their entire security operations to an MSSP. Rather, they'll tailor services for specific needs and establish policies on how service providers should act during an incident. For instance, an enterprise may want to close a firewall port that's being exploited by a worm. Its service provider may maintain the firewall, but its SLA will require that the MSSP obtain authorization for the configuration change.
"Most customers, especially at the enterprise level, want a sense of internal control," says Jonah Paransky, senior manager of security product development at Symantec. "They want 'out-tasking,' where you have control of the process, as opposed to full outsourcing, which has someone take away the entire process."
In some cases, however, services providers can win increased trust.
"When we first started out with AT&T four years ago, they would call us no matter what the issue was," says Rebecca Autry, CIO for the U.S. Olympics Committee. "As time went on, we became more comfortable letting loose of some controls. Today, AT&T knows that during the off-hours, it can just do what it needs to do."
Trusting an MSSP isn't an act of faith, but the product of an enterprise's due diligence. With executives feeling the heat of regulatory compliance and the level of threats constantly increasing, service providers will earn that trust only after enterprises establish strict requirements and restrictions for handing over the keys to their digital kingdom.
|
