Outsourcing security services is a viable option, but it doesn't always make sense for an organization. What are...
the best and worst times to outsource to a managed security service provider?
Outsourcing security services to a managed security service provider (MSSP) is an alternative to managing information security functions internally. It is typically opted for when security has become economically challenging to maintain with existing resources.
There are pros and cons of outsourcing security to third-party service providers. Let's look at these a bit closer.
Pros of outsourced security services
- MSSPs have dedicated employees whose job it is to keep current on vulnerabilities and remediation techniques.
- The organization does not have to spend time and money on training information security staff in niche areas such as network vulnerabilities, web application vulnerabilities, firewall configuration management, intrusion prevention system and intrusion detection system configuration management, computer forensics, penetration testing and other security operation center duties.
- MSSPs typically provide 24/7 year-round information security monitoring.
- The organization can focus on information security administration, such as user provisioning, password resets, role-based access control fulfilments, cybersecurity management reporting, security awareness, compliance reporting, and information security policy development and maintenance.
- Critical security patches will most likely always be current, providing this service is built into the MSSP service contract.
- Organizations will undoubtedly lose most of their highly skilled, in-house cybersecurity resources.
- There may be a loss of quality, unless that is built into the MSSP contract with associated service-level agreements.
- The cost of a breach at the MSSP site may be substantial. This can be mitigated if the MSSP contract also requires the service provider to carry sufficient cybersecurity insurance.
- The MSSP typically decides the software and equipment used for providing cybersecurity services to the organization. These may not be in line with the organization's IT standards and approved software and hardware environments.
- If the organization decides to terminate the MSSP service and return in-house, the cost to rebuild the cybersecurity staff and acquire software tools, such as security information and event management, firewall maintenance, web applications and network vulnerability testing, can be substantial, and the process can be time-consuming.
- MSSPs, to keep operating costs down, may hire foreign workers, which may be perceived as un-American or problematic by customers, partners or stakeholders.
- MSSPs do not know the organization's business culture or mission-critical IT environments.
- Organizations may be concerned about confidential or sensitive corporate data becoming exposed to third-parties at an MSSP.
Cons of outsourced security services
For decades, organizations have painted themselves into a corner by not addressing cybersecurity. However, According to Gartner, $81.6 billion was spent on security technology in 2016. Despite this increase in cybersecurity budgets, there is a continued rise in breaches and other disruptive security-related incidents. To mitigate this challenge, organizations are predisposed to outsourcing and increasing cybersecurity insurance.
Ensure that, before you engage with an outsourced security service, the MSSP contract clarifies pragmatic service-level agreements on scope, continuous monitoring, timely response, coverage and predefined reporting. Ask for references and proof of independent cybersecurity assessments and cybersecurity framework compliance -- such as SSAE-16, Payment Card Industry Data Security Standard, NIST SP 800-53 and NIST SP 800171r1 -- for the MSSP's IT environment.
Cybersecurity insurance is generally a compensation strategy involving partner and stakeholder interests. It is actually damage insurance in case of a breach, fraud or major disruption to an organization's ability to operate.
Outsourced security services that uses MSSPs or obtains increased cybersecurity insurance does provide augmentation services and risk mitigation, but they do not necessarily reduce risk or limit an organization's liability.
Ask the expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Take a closer look at outsourced security services
Learn why patching should be part of all outsourcing contracts
Find out what you need to know about the MSSP market
Dig Deeper on Information security policies, procedures and guidelines
Related Q&A from Mike O. Villegas
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading
Yahoo reportedly rejected a forced password reset after numerous data breaches compromised user data. Expert Mike O. Villegas discusses whether this ... Continue Reading