Managed security services. Don’t tell me. I can get this one… These are services which manage your security, aren’t they?
Bingo! Though to be honest it’s not exactly rocket science working that much out – this really is one of those IT issues which ‘does exactly what it says on the tin’.
So why do we need one of these ‘Cheat Sheets’ on it?
Because despite the apparent ease with which people pick up the basic principle there is a lot which people aren’t grasping and a number of misnomers out there clouding the issue.
Such as this common reaction: ‘Why on earth would I want to trust somebody else with my security?’
So, why on earth would I want to trust somebody else with my security?
It is actually a far better question than your churlishness might suggest. There is a lot of concern in the industry about the possible repercussions of handing control of security to a third party, but this isn’t like leaving your kids with a shady man at the school gates while you pop to the shops, this is handing control to experts who have built their reputations and businesses around getting security right. However, the switch should not be wholesale. Simon Perry, VP security strategy at CA, said even companies who are outsourcing antivirus and spam prevention, will wisely retain some security in-house – such as desktop antivirus and other precautions. He also said companies should never outsource authentication and authorisation or strategy.
There are also knee-jerk concerns about data privacy – the ‘will they read my email’ reaction – but these are largely non-issues and companies are starting to see beyond such worries and buy into the idea that a dedicated third party can manage your security far better than you can. Whether they should is another matter and one which companies must address themselves on a case-by-case basis – it certainly isn’t right for everybody.
But these outsourcers can’t be perfect. Nobody is perfect, right?
Very true, but a number of the larger vendors are a lot more perfect than the overworked techies juggling thousands of balls in the average IT department. Not through choice, but such staff have lost control of the daily fire-fighting and long term planning involved in security in these days of the blended threat and the attacks raining in from all sides. Mark Sunner, CTO at MessageLabs, describes managed services as the opportunity for IT department to “free up staff to get on with doing what they should be doing and create the capacity to work on projects other than managing the security which has become a full-time job now in most companies”.
But will that actually happen, or will this just mean staff are being put out of work?
It’s a good point. With any kind of outsourcing there is a concern that it will result in fewer bums on seats, but that shouldn’t be the case, CA’s Perry said: “In reality headcount reduction is unlikely to happen, especially if companies can productively get people working on other things.” Perry also said companies still have to retain key skills in-house “to keep the outsourcers honest”.
So it’s labour saving. But is it money saving?
Obviously it’s less easy to quantify the cost savings associated with freeing up employee time, but there should be a genuine saving with such models. Vendors are aware that is always the most compelling ‘foot in the door’ when making a sale.
“I believe there should always be a cost saving; the ROI is pretty easy to demonstrate,” said MessageLabs’ Sunner. “Especially because this is a very competitive marketplace right now and customers who shop around should be able to get a great deal.”
So, it saves you money, it makes your business more secure and it frees up staff from the interminable security headache. Companies must be going wild for managed security services then?
You would think so and to a degree you are right – it is really starting to take off. According to Quocirca research, 65 per cent of companies still want to try to make a success of in-house security management, but that 35 per cent, and growing, represents an interesting level of approval for managed security services. Sunner believes we are nearing a “tipping point” whereby companies will sign up in increasing numbers – attributing this to a “me too effect” with businesses seeing others taking the plunge and deciding to do likewise.
Which companies are going for it then?
The vendors like to talk about the big banks and the government departments because those represent the most compelling evidence that the model can work. Winning over such organisations, especially where security is concerned, is no mean feat. However, the greatest appeal of this model will be among the SME market where managing IT security is the greatest drain on resources in relative terms.
Major firms are arguably better positioned and more effectively resourced to manage security issues alongside the other IT irons in the fire. Small companies may only have a one-person IT department and they may also have to manage everything from desktop support to maintaining the phones. Having them working full-time managing security is not an option.
Is there anything to beware of?
Companies need to establish service level agreements (SLAs) and ensure they can hold their outsourcer to those agreements. They also need to ensure they can scale their solution and add, evolve or change their service dynamically.
CA’s Perry warned against contracts which might make a company’s security too “static”. But as already mentioned the most important thing is for companies to establish whether it is for them.