With information security concerns and challenges at an all-time high and a global shortage of security professionals to address them, some enterprises are turning toward managed security services to help them. To ease the selection process, below are some useful items to keep in mind when shopping for a provider.
Cisco’s published 2014 Annual Security Report details that not only are new cyber threat alerts growing 14% year over year, but CISOs are struggling to hire people with up-to-date security skills. The study shows that there is a shortage of more than a million security pros in the industry.
On top of that, the 2015 Society for Information Management IT Trends Study found security to be the No. 2 concern of management, up from just seventh place a year ago.
'The sophistication of the technology and tactics used by online criminals—and their nonstop attempts to breach network security and steal data—have outstripped the ability of IT and security professionals to address threats,' the Cisco Security Report reads. 'Most organisations do not have the people or the systems to monitor their networks consistently and to determine how they are being infiltrated.'
> See also: The IT skills conundrum: too many threats and not enough professionals
But the lack of talent isn’t stopping organisations from fighting the boom in cyber security issues. Frost & Sullivan researchers say more North American enterprises are turning to security partners than ever before to protect against advanced persistent threats, estimating the security services market will grow from $1.81 billion in 2013 to $3.25 billion by 2018.
Making the decision to involve outside help is a process in itself, which can defer the introduction of critically needed resources. There may be concerns about loss of control or questions as to how managed services fit into a cloud services model.
Why would you hire a managed services provider (MSP)?
Generally speaking, organizations start considering MSPs because they either want to add capabilities they don’t already have, or they want to shift routine, operational work off of their internal staff to free them for strategic work that adds more business value. As reflected in Cisco’s personnel shortage projection, it’s often the former.
Technology has become so complex, and changes so fast, that it can be challenging for an internal IT department with limited resources to keep up with it all. An MSP can provide different levels of support to meet the requirements, saving an IT staff from the Herculean task of staying on top of the changes.
Then there is trouble-shooting, especially for higher-level, critical issues. Such trouble-shooting is often both urgent and time-consuming. It can be an “all hands on deck” activity. But, in the meanwhile, other important work falls to the side. An MSP can focus on trouble-shooting, reporting to and communicating with internal staff as needed to achieve prompt, appropriate resolution.
Another good example is 24×7 coverage. In today’s global, online economy, there is no such thing as 'normal business hours.' Many businesses need to be available all the time, either because they are global or they service customers around the clock. Even more important, cyber-threats are not a 9-5 occurrence. Quick-response and proactive security must be available round-the-clock.
A good MSP will have sufficient resources to provide both remote management and monitoring and first call support services on a 24×7 basis. This can translate into handling all needs around the clock or supplementing the coverage of an internal staff when they’re not available.
Multi-language support is another valuable capability some MSPs can provide. Whether it’s for internal global users or to meet the demands of various customer segments, some MSPs can help organizations get on the fast track to overcoming language barriers.
What to look for: facilities
The best MSPs will have a high-quality, finely-tuned NOC that is fully loaded with the latest technologies. Some may have more than one if required for 24×7 or regional coverage, or in cases where language is an issue. Organisations can tap into these NOCs to take advantage of capabilities they may not have on-premise, or to reduce some of the 'keeping the lights on' workload for their staffs.
When making a decision between MSPs, an organisation should make sure the NOC(s) have all the certifications required for the technology it’ll be leveraging. In addition, an MSP should hold the certifications that point towards the maturity of the MSP's internal process. Don't be shy, look under the hood and ask about the MSP's organizational structure, procedures, processes and internal controls. Examples include, ISO standards, SSAE16 and so on.
A good MSP will also have full redundancy and disaster recovery capabilities with automatic failover should the main NOC or on-premise data center go dark. In today’s world even a few minutes of downtime can cost millions of dollars. The organization should be protected from that revenue/productivity loss. Finally, ensure the MSP has a lab that can be used to mimic the enterprise’s internal environment to debug any issues the organization having without affecting production systems.
What will the day-to-day be like?
An MSP should feel like an extension of the business’ IT organisation. For example, while day-to-day monitoring and response will be managed by the MSP, the organisation will still retain control over the policies and protocols followed. While some organisations assume they’re just going to hand over certain services and be done with them, that’s not the case in a good client/MSP relationship.
A big part of making that happen is having the right tools, such as a portal that provides the client with immediate access to day-to-day communication with the MSP, project status updates, trouble tickets, and reports on service levels. There should also be an effective ticketing system that makes it easy to exchange information and provide updates, as well as a knowledge repository so both sides can share best practices, standard operating procedures, debug methods and other critical information.
Reporting is another factor. The MSP should be prepared to report on any SLA that is defined – response time, notification time, accuracy of performing change requests, uptime of devices, availability of services or hardware – pretty much anything that is a measurable deliverable. IT teams can also request daily reports such as managed intrusion protection results. If the MSP is participating in change requests, you should be able to obtain a report on the success of testing.
How strong is their skills 'bench'?
The better the team, the better the performance, and it starts with individual certifications. Look for an MSP whose experts are constantly training and learning, keeping up with the latest technologies. Certifications are not only a measure of knowledge; they’re also an indicator of a dedication to excellence.
See that the MSP provides a career path for their staff members to gain more expertise and responsibility, especially for the junior-level staff. Nothing is more frustrating than building a working relationship with someone at a partner company only to see them move on in order to take advantage of a better opportunity somewhere else. Yet that can easily happen when there is no clear path for that employee to advance their career.
How strong are their relationships with the manufacturers?
This is the final component. No matter how good an MSP is on their own, there will be times when they’ll need to involve the manufacturer of the technology being used resolve certain issues. A good indicator of their relationship to technology suppliers is their certification or partner status. No status, or a very low one, may indicate they don’t have the clout they’ll need to resolve issues promptly when a crunch time comes.
In vetting the MSP, check whether they have direct access to the manufacturers’ L3 engineers, which will bring in expert help to solve the most complex issues. They should also have access and experience with the manufacturers’ specialised support and tools, again, helping to resolve issues faster and more completely. If you’re seeking help at that level, it’s no time for guesswork.
How good a fit is their team for yours?
Finally, ensure there is a cultural match between the organization and the MSP. Today’s market is overflowing with managed service providers – telcos, boutiques, organisations that specialize in certain areas, large system integrators, overseas outsourcers and more. Not every MSP is a match for every organisation.
For example, a large MSP might be good at servicing a widely-dispersed workforce but not so good at providing a focused, customised offering the way a small or mid-sized MSP does.
> See also: Is secure cloud the next step in the evolution of information security?
The key is to identify and prioritize needs and find the MSP that best matches those priorities. They may not be able to fulfill everything on a wish list, but you’ll want to be sure they can handle the more critical ones.
The last word
If there are more than a million fewer security professionals than needed, an MSP may be the right choice as cyber threat alerts grow 14% year over year. Putting a part of an organisation’s security infrastructure in the hands of an MSP with up-to-date security skills could be the answer as CISOs struggle to find a security pro that fits.
Sourced from Dragana Vranic and Kim Cuthbert, Forsythe Technology