Trade secrets, confidential customer information, crucial data. These are but some of the things that every company needs to secure from intruders. The damage to the organization may include suspension of operations, loss of intellectual property, loss of investor and customer confidence, harm to its reputation, and leaks of sensitive information to third parties, including the media.
The 2013 cyberattack on Target, wherein card numbers of 40 million customers and the personal data of 70 million more were stolen, the February 2015 attack on Anthem wherein 80 million patient database records were stolen, even internet security firms like Bitdefender are not immune, a fact which it learned to its dismay in July 2015 when computer usernames and passwords were accessed using a cloud-based system. The breach by Impact Team of the adultery website Ashley Madison in 2015 that revealed the names of millions of erring spouses and the 2014 attack on Dropbox have shown how vulnerable even the most secure sites can be and the damage that insufficient security can cause.
Incidents of cyberterrorism by Chinese crackers, cyberattacks by Anonymous, and individual hackers defacing websites or denial of service attacks have increased with the increase in the computing power of personal computers and laptops.
There is no question that internet security is a necessary investment. The question though is whether it should be done inhouse or by a service provider.
Having an inhouse IT team manage security has a distinct advantage: the confidentiality of systems and processes and sensitive information is not compromised by handing the keys over to an outsider. However, when one considers the cost involved in hiring, training, and maintaining a team of IT experts to secure and monitor a system can sometimes be prohibitive. The cost may be justified where the organization deals mainly in sensitive information and attacks are frequent and sophisticated. However, where the volume of attacks is few and far between, a full time inhouse security team working 24/7 is not justifiable.
Which brings to mind outsourcing IT security.
Managed Security Service Providers.
Managed Security Service Providers (MSSPs) are companies providing network security services. The roots of MSSPs are in the Internet Service Provider (ISP) system of the mid to late 1990s, wherein ISPs would provide customers a firewall appliance, usually as onsite equipment, to manage their security. This evolved into a separate business enterprise.
Over the years, businesses have turned to MSSPs to deal with threats related to information security such as targeted malware, customer data theft, skills shortages, and resource constraints. A survey commissioned by information security provider Trustwave found that most IT professionals felt more pressure in 2013 to “secure their organisations” than they did in 2012, with 58% expecting even greater pressure to be exerted on them this year. According to Trustwave’s ‘2014 Security Pressures’ report, 79% of the IT professionals surveyed said they were “pressured to unveil IT projects”, despite fears that security issues were unresolved. More than one in 10 (16%) said that this pressure was exerted “frequently”, whilst 63% said the pressure was exerted on one or two IT projects last year.
The services may include round-the-clock monitoring and management of intrusion detection systems and firewalls, overseeing patch management and upgrades, performing security assessments and security audits, and responding to emergencies.
These services may be done onsite, online, or a combination of the two.
Advantages and disadvantages.
Similar to hiring a security agency to secure the physical premises of an organization, securing the services of a Managed Security Service Provider (MSSP) has several advantages:
- Cost effective – much like the cost of training, expenses for equipment, and benefits for security guards, the cost of training and maintaining a dedicated technical staff is spread over several organizations and not shouldered exclusively by a single company, thus providing an economy of scale not available to the organization needing security. MSSPs usually have full time Security Incident and Event Managers (SIEMs) who can detect, analyze, and provide solutions to threats, something a single company can not afford.
- Specialized security – some organizations are overseen by a regulatory body that require specialized security measures be set in place. Developing such security measures inhouse would not be feasible considering the costs of training and development.
Outsourcing, though, also has its disadvantages, some of which are:
- Sensitive information is given over to a third party – outsiders are given custody of confidential data and may not be as trustworthy as inhouse personnel.
- Single point of failure – where all data is outsourced, with no local backup, failure of the MSSP might cause the collapse of the organization.
- Contract limitations – client agreements might prohibit the outsourcing of confidential information.
MSSPs offer a myriad of services, oftentimes bundled into packages. Some of the issues that a manager should consider are:
- Should the entire security process be outsourced? If not, what should be retained inhouse?
- Should the company choose for onsite security, through cloud, or a combination of the two?
- Should the outsourced security processes be handled by a single MSSP or by multiple specialized MSSPs?
- Should the company retain local backups of its sensitive files?
When engaging the services of an MSSP, certain limitations and restrictions should be set forth in the service level agreement, for the protection of the company from liability:
- Boundaries – realistic boundaries and a clear delineation of duties and responsibilities between the MSSP and inhouse staff should be defined. This will define which party shall be liable for what acts or omissions.
- Inhouse IT – corporate employees should be able to conduct routine maintenance and repairs on equipment and software in order to minimize downtime. Training of these employees should be included in the service contract.
- Clear services – uptimes, downtimes, response times, and escalation procedures and the services expected from the MSSP should be clearly defined.
- Evaluation procedures – compliance with the service level agreement should be regularly monitored and action should be taken when the criteria for the service are not met. A before and after report should be conducted to determine if the increase in efficiency and effectiveness justified the cost involved in securing the services of an MSSP.