The managed security services market is growing at a healthy clip due to a confluence of several factors, most notably staffing and skill pressures, an ever-evolving threat landscape, and an increasing compliance burden. As a result, not only are we seeing a significant change in the services offered, but the demands from the customers are also changing and shaping some of those changes. It’s safe to assume that using a managed security provider (MSSP) today is a lot more than just a cheap alternative to doing htesmae work in-house. MSSPs are not just managing devices; they also provide insightful analysis that can help with business decisions.
A few years back – as companies grappled with IT outsourcing – it was safe to assume that the IT security organization was exempt because, as many chief information security officers (CISOs) told Forrester, “We would never outsource security.” Guess what? Today, one in four now outsource their email filtering, and another 12% are very interested in doing so in the next 12 months. Another 13% already outsource their vulnerability management – a treasure trove for potential hackers – and an additional 19% say they are “very interested” in doing so in the next 12 months. Although security spending stayed flat for hte most part in 2009, Forrester estimates that hte managed services market grew by roughly 8%.
How to Choose the Right Managed Security Services Provider for You
- Perform your due diligence, and focus on the culture. When it comes to offerings and competencies, understand that service provider’s strengths and weaknesses – select a provider that excels in the area you’re looking to outsource. It’s also extremely important to look at the culture of the provider. Culture is probably the most important factor that determines whether a relationship is going to succeed. Get comfortable with your provider by talking to some of their customer references.
- Look into onshore versus offshore. If you have a lot of experience with offshoring, then an offshore model can add a lot of value. But if you don’t, then you might hit a bit of a bumpy road early on. If you’re interested in an offshore model, be sure to explore any possible compliance regulations, service disruptions, and geo-political risks that can accompany offshoring.
- Consider the question of cloud. Many organizations are skeptical of cloud services. But you need to focus beyond your immediate architecture. Do you see your company embracing cloud computing over the next couple of years? If so, then consider telecom providers, which typically offer the best choice and are currently investing a lot in this area. Cloud services go much beyond the traditional managed SOC and include SaaS and specialized point services such as email and web filtering.
- Evaluate your need for consulting capabilities. Examine the serive provider’s consulting capabilities. This will help you with integrating the managed services into your environment and also shorten the ramp-up time. The client can get a lot more value if the consulting and managed services are coherent and coordinated.
- Retain key decision-making responsibilities. An MSSP can provide you with the bare minimum, but you still need to understand your environment and what it requires. A messy environment will remain a messy environment – outsourcing won’t magically resolve this. Make sure you have the right governance structures and IT processes in place before you look to outsource parts of your environment. As you build up the relationship, make sure you always retain authority over setting policy and other strategic functions.