Security: should it be in-house or outsourced?
The use of managed security service providers (MSSPs) – that is, outsourcing security to a specialist third-party – is a growing practice. Forrester estimated in March 2012 that it is growing at between 30% and 40% per annum; largely because “CISOs increasingly trust MSSPs to advise them in top security decisions and act as strategic partners.”
“Traditionally,” says Gavan Egan, vice president sales at Verizon, one of the world’s leading MSSPs, “financial services and government have been the main adopters of MSS.” But as the cyber threat increases and gets more complex, an increasing number of organizations, large and small, are beginning to outsource their security.
It is a service that has grown out of consultancy. “We realised,” explains John Yeo of Trustwave, another major MSSP, “that many of our clients simply don’t have the expertise to implement what we recommend.” The solution is for consultancy to evolve into service, providing and managing security for the client – which is what Trustwave does.
It fulfils the primary argument for outsourcing security management: more (expertise) for less (cost). Security is no longer a case of installing anti-virus software and hiding the network behind a firewall: security experts need to be expert in the entire IT infrastructure together with an ever evolving and worsening threat landscape. Such people are hard to find; and even harder to afford. Using a specialist third-party allows business to achieve the security it needs at a cost it can afford.
But nothing is ever as simple as it seems. Part of the complexity of security is that its requirements are interwoven throughout the whole business. It’s not just hardware: it’s business processes and structures, it’s staff and attitudes, and it’s data, wherever, however and whenever that data is stored, locally or in the cloud. To understand and protect a business, an MSSP needs to be intimately associated with that business and its processes.
The logical extension of this particular argument is that maybe a company shouldn’t just outsource its security management, but outsource its entire IT management. If it’s difficult to separate security from the overall IT infrastructure, this argument suggests that perhaps it shouldn’t be attempted.
This is the approach being offered by managed services companies such as Managed Networks. CEO Ben Rapp, a security specialist in his own right, suggests that this provides three things: quality of advice (from full-time specialists); technical scale and resilience (companies using his cloud platform are protected by far more security than they could justify alone); and “more philosophically” he says, “it’s all to do with core competency.”
Core competency is the second argument for outsourcing. Business is good at doing business; but security is rarely a part of that business. In fact, security is a diversion. It is, however, the core competency of MSPs, whether they provide just security or complete IT infrastructure management. Rapp argues strongly that outsourcing IT and security management allows companies to concentrate on their own core competency; which in turn leads to a more competitive and profitable business.