Security: delivered

There are plenty of choices for enterprises who want to go the managed security services route. With choice appears confusion and the very real possibility of failure. However, enterprises can ensure the long-term feasibility of outsourced projects by following a few key steps.

  • E-Mail
By  Sathya Mithra Ashok Published  September 2, 2007

In some ways, managed security services (MSS) are like any other outsourced IT service. In many others though, they differ significantly. Most of this difference lies in the fact that the operation being outsourced concerns security and potentially could leave the internal workings of an organisation open to a third party provider.

"Many enterprises in the region are reluctant to hand over the keys to the kingdom of security to third party service providers. They fear the implications of such a move. But that attitude is slowly changing. Based on our research, we anticipate that the market potential for 2008 in the Gulf region will be around US$20 million purely for managed security services," says Neil Batstone, GM for VeriSign in the region.

IT managers have to start early and rigorously prepare for the act of moving security to a third party provider.

According to IDC, global MSS revenue will more than double between 2005 and 2010. The revenues are projected to reach US$32.6 billion by 2010 up from $14.5 billion in 2005 with a compound annual growth rate of 17.3%. Some vendors and experts claim that the Middle East market is growing faster than the global average at around 20%.

"The growth of managed services is like a wave and it's starting to create momentum in the region," says Stefaan Hinderyckx, EMEA sales director for MSS at Symantec.

The prospect of growth in an untapped market has attracted a large number of managed security service providers (MSSPs) to the region. They have brought along a range of services that companies can opt for when outsourcing security.

"Our service offering is based on five cornerstones. The first is classical monitoring of firewalls, IPS and IDS. The second is a management add-on to monitoring security infrastructure. Then comes vulnerability assessment which works in collaboration with monitoring and management. This is added to by our global intelligence services, which is like the Reuters of the security world. With this service customers can receive customisable news and alerts on global security elements. Finally, there is threat analysis, where we analyse and report back to customers on malware that they have identified. This service is of special relevance these days where attacks are targeted towards specific intellectual property or data that is pertinent to particular organisations," says Hinderyckx.

He adds that the threat analysis service will be launched in the Middle East soon.

While the above services are specific to Symantec, they are reflective of those offered by most other vendors. Many of the big vendors offer MSS along with local partners who bundle the offerings with larger IT management services.

While most enterprises still pick 24/7 monitoring of security infrastructure above all other services, the fact remains that with more MSSPs entering the region and a wider range of services now available, choice is on the increase for enterprises in the Middle East.

With more choice however comes the very real possibility of confusion. And with outsourcing still being rather new in the region, IT managers and enterprises have to watch their step, plan ahead and be prepared to spend time and effort on making their outsourcing venture a success.

A guide to outsourcing

In order to ensure the long term success of any outsourcing project IT managers have to start early and rigorously prepare for the act of moving security to a third party provider. That, almost always, begins with the act of asking serious questions that demand honest answers right at home.

"Internally, managers should consider the current cost of managing security and if they have true 24/7 security monitoring and if not, what the cost of an attack and the loss of data may mean. The answer could be that they beef up their security staff, get in house expertise and build a SOC (security operations centre). his is an option that some people take but most others look at alternatives such as outsourcing," says Hinderyckx.

Most industry experts state that enterprises should also spend time on deciding what security services they would like to outsource and the kinds that they would still like to do themselves. Hinderyckx points out that oncerns such as application level security which require business expertise are better watched internally.

The next step involves assessing and selecting a vendor.

"With the often bewildering flood of buzz words, hype and complexity of infrastructure and applications for business it is often very difficult to determine the best course of action when considering outsourcing your security. There are several questions the IT manager should be asking the provider when selecting a vendor for its outsourced security needs," says Drew Savage, global alliance manager for MSSP/carrier at Fortinet.

"Once you have taken the mental leap to outsource services, the IT manager will have to ask himself, the industry and the vendor questions on the longevity of the company and if it has critical mass to be around well into the future. Other important parameters include how many employees the company has and the kind of services offered. Managers should also look into how these services can be added on to as their business grows and they need to do more," says Hinderyckx.

He adds that IT managers should pay special attention to service level agreements (SLA), ask hard questions regarding the limits of their vulnerability and analyse the different ways of implementing the SLA.

These questions should be followed by an evaluation process where IT managers will need to test and assure themselves of the delivery capability of the vendor.

"Once general provider questions are covered, IT heads should concentrate on the number of SOCs that vendors have, maybe even visit them. Look into how well protected they are at the SOC, the technical expertise of the staff and the provisions that have been made for business continuity," states Hinderyckx.

"The heart of any managed security service is the reporting, portal and notification that the subscriber receives as a part of the service. IT managers should ask the MSSP to provide a demonstration of the reports associated with each of the security offerings. Ensure that the information that the MSSP is presenting in its security reports is easily understood and in some cases actionable as well as segmented to each location where the security services are delivered," says Savage.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code