Manage Learn to apply best practices and optimize your operations.

What is the average cost of an MSSP?

Looking to find the startup and maintenance costs of an MSSP? In this Ask the Expert Q&A, application security expert, Michael Cobb outlines the key issues for businesses to consider when examining managed security arrangements.

What are industry averages for startup cost and monthly maintenance of managed security services (managed firewall,...

managed IPS and managed URL filtering)?

Unfortunately, the variety and scale of managed service offerings are so broad that it's impossible to give one figure as an industry average. A bank, for example, that is considering outsourcing security would be looking at a completely different level and scale of service to, say, a small e-commerce enterprise. And, some organizations may want to manage some of their security systems and will not need certain services provided by the outsourced security organization.

Regardless of specific level of service required, there are some key issues to consider when examining managed security arrangements. The most important aspect of choosing a managed security service provider (MSSP) is to understand the services they offer and how they well the meet your organization's security policy requirements. You must first develop your organization's risk assessment and security policy, before you can select a suitable MSSP.

The service-level agreement with an MSSP should specify coverage and protection levels, response times, and reports, but also outline the repercussions for poor performance or losses related to security failures. Since you're entrusting some of your most precious data to a third party, it's important to sign non-disclosure and confidentiality agreements to ensure data protection and safekeeping. It's also important to understand how your own confidential or sensitive information will be handled, given that the provider will probably be sharing resources and services with its other customers. You must, of course, review any references or third-party reports and evaluations of your MSSP, and check the provider's financial status.

MSSPs have different styles, and the styles often vary depending on how an MSSP has arrived in the business. Some are traditional ISPs or telecommunications companies offering security services as an additional service to their core businesses. Even some of the big consulting firms offer managed security services. With that in mind, below is a list of services you can expect from a decent MSSP:

  • Content filtering, antivirus and spyware/adware protection;
  • Network boundary protection, including firewalls, intrusion detection/prevention;
  • VPNs for secure remote access;
  • Penetration testing and vulnerability assessment;
  • Assessments of security risks or threats;
  • Security monitoring and reporting services;
  • Data backup and restoration as needed;
  • Installation, patch management and maintenance services;
  • Incident management, including emergency response and post-incident analysis and reports.

It is important to weigh the cost of a security breach against the cost of any service you're considering, and in most cases, small to medium-sized organizations will see the most benefit from outsourcing. Resilient network security requires round-the-clock staffing, so outsourcing saves an organization from having to develop the necessary capabilities in-house. For more information on outsourcing, download this Outsourcing Managed Security Services guide from the CERT Coordination Center.

More information:

  • Get expert Shon Harris's take on security outsourcing.
  • Discover why offshore security nuances demand extra care.
  • Learn the steps involved in risk assessment.
This was last published in October 2006

Dig Deeper on Risk assessments, metrics and frameworks