Enterprise management is ultimately responsible for protecting customer data and critical IT assets, whether IT...
is handled in-house or outsourced to managed security service providers (MSSP). The enterprise decides whether to outsource or not and it bears responsibility for the effectiveness of the control structure. This includes losses that may be incurred due to a natural disaster, breach from outside, internal fraud, or not meeting service-level agreements (SLAs).
A recent ESG survey reported that 57% of 340 IT and security professionals responded that they are currently using a managed security service in some capacity to protect their endpoints. But the trend goes beyond endpoint protection. Managed security service providers are now performing colocation services, layer 3 device management, vulnerability scans, Web application vulnerability monitoring, security information and event management monitoring and alert reporting, OS hardening and patching, backup and recovery of critical data, and the list continues. However, there are pros and cons to outsourcing information security.
Benefits of outsourcing
Internal information security programs generally struggle to get funding for adequate security. Security teams often lack skills, tools and people sufficient to deploy appropriate security for their enterprise. They can build internally, but inevitably they look to the outside. Some pros for outsourcing include:
- Capital expenditures are kept to a minimum;
- Dedicated expert staff for the protection of critical assets;
- Typically the largest expenditure for IT personnel is greatly reduced;
- Continuous security monitoring;
- Enterprises do not have to spend funds on training, office space, equipment, software tools and other operating costs; and
- Cost of a managed service is significantly less than maintaining the same level of service in-house.
Drawbacks of outsourcing
However, in outsourcing, there are some caveats that need to be considered. They involve the same areas where managed security service providers purport to add value, like skills, tools and people. Some cons for outsourcing include:
- Regulatory non-compliance or liabilities still rests with the enterprise;
- Enterprises will, over time, lose their subject matter experts;
- It will be extremely difficult to bring the MSSP services back in-house;
- Managed security service providers typically do not understand the business culture or industry as well as internal enterprise staff;
- The enterprise is trusting a third party to manage intellectual property and client data;
- The MSSP decides what security software and hardware to run for the enterprise; and
- Having to layoff security personnel and gradually replace or transfer personnel to other departments.
What to know before using managed security service providers
Not all managed security service providers are created equal. It would be convenient and attractive to the enterprise if it could rely on one MSSP to do everything, but unfortunately that does not yet exist. Before an enterprise decides on outsourcing all or any aspect of the information security program, it needs to consider the following:
- Make sure there is an SLA that provides the proper level of security needed for regulatory compliance and system availability;
- Ensure the MSSP has an Attestation of Compliance for PCI DSS;
- Ensure the MSSP lists the individual PCI DSS requirements satisfied by the service provided;
- Obtain an agreement with the MSSP that it will comply with the enterprise information security policy, backup requirements, retention requirements and vulnerability scans required by regulation(s);
- Require the MSSP agreement to contain a termination clause, right to audit clause and limitation of liability clause;
- Obtain references from the MSSP but interview the references without the MSSP present;
- Determine the total cost forecast through the end of the MSSP agreement; and
- Ensure a CSIRT includes and has a commitment from MSSP services.
There clearly is a trend to outsource many IT services typically managed in-house. The financial benefits are significant since the operating costs to run an IT department are typically less than the monthly MSSP fee. That said, the enterprise should determine the total cost of ownership for the extent of the agreement. It will be difficult to retain internal subject matter experts since they will no longer be able to use and grow their skills if outsourced.
The enterprise will still need a foundational information security program. This means having an information security policy, IT risk assessment, a tested incident response plan, information security training, annual acceptable use agreements signed by all employees, SDLC, secure coding standards, change management program, project management program, BCP/DRP, IT asset inventory, handling security alerts even if generated by MSSP, and an IT security compliance program. Outsourcing information security to an MSSP does not limit enterprise liability. It is still the responsibility of the enterprise to assert the effectiveness of the information security control structure, whether it is based internally or outsourced to an MSSP.
If IT is outsourced to a managed service provider, the pros and cons are similar but in a much larger scale. Managed security service providers are a good option to augment skills not currently with existing staff. Needless to say, using managed security service providers is not a trivial matter and should be well planned before making the commitment.
About the author:
Miguel (Mike) O. Villegas is vice president for K3DES LLC, a payment and technology-consulting firm. Villegas has been a CISO for a large online retailer, partner for a "Big Four" consulting firm, VP of IT Risk Management, IT Audit Director for large commercial banks and owner of an information security professionals firm over a span of 30 years.