Outsourcing security: Would you turn over the keys to a third party?

Managed security services providers are gaining a foothold in the market.

1 2 Page 2
Page 2 of 2

Tom Bain, vice president of marketing at CounterTack, believes organizations want to "collapse the stack" and move to fewer providers and platform offerings. They want less agents and ultimately not as many providers under the hood. “Taking technologies into a managed deployment gives an enormous advantage to MSSPs who can remove the burden from operators, monitoring and responding to threats on their behalf,” he said.

Not so fast

While those interviewed do see pros to MSSPs, they also have some issues with blindly giving up security.

Westby said as with most services, “there are many that over market and under deliver on true security service. Taking the time to get under the covers of how the service is provided and validate how they will protect your company is important in vendor selection. Maintaining security leadership and program/vendor oversight in-house is also very important. “

It’s important to factor in the overall requirements and needs of the organization, said Javvad Malik, security advocate at AlienVault. For example, if a company has many custom apps that need customized monitoring, then in-house may be more appropriate than an MSSP. Other considerations can include whether there’s a preference for dedicated personnel or regulations that require data to be stored locally.

“If a company does choose to opt for an MSSP it’s important to evaluate them for effectiveness and their ability to execute on their methodology. Finding the right type of MSSP that is a good cultural fit with your organization is just as important as finding one with technical the right technical skills.”

Malik said there’s no easy or right answer to this – both approaches have their own challenges and benefits. But it’s best to make an informed decision based on budget, expertise, and desired outcomes.

Salim Hafid, product manager at Bitglass, believes that for many of the most security conscious industries and organizations, in-house security is a must. An in-house security team with specialized knowledge of the security capabilities necessary to achieve compliance and that can evaluate multiple security solutions against their needs, can be very effective. 

Having in-house security allows you to build on tribal knowledge that is not easy to export to a third party, Hoyos said. “Your internal team will better understand the risks you face, including internal risks from your own personnel, which is something that an MSSP simply cannot do without boots on the ground.”

He suggested having a mix of in-house personnel and an MSSP; the MSSP can cover the basics, while the in-house security team can focus on the more complex or nuanced issues that an MSSP doesn’t have the sufficient background to understand. “Having the MSSP cover those basics also provides meaningful challenges for your team, thus reducing turnover and augmenting your security program organically with more skilled personnel.”

Companies might not want to use an MSSP if they already have vendor contracts in place and an in-house team that knows the ins and outs of your particular environment. “MSSPs are more one-size-fits-all, so you have to account for that when planning a migration to an MSSP. You also need to be cognizant that all your data will be going through an MSSP, so confidential agreements and concerns with proprietary or customer data need to be considered as well,” Hoyos said.

Neal Bradbury, senior director of business development, Intronis MSP Solutions by Barracuda, also offered the option of “as-a-service” that allows companies to pick and choose what they want implemented.

Stu Sjouwerman, CEO, KnowBe4, said one factor to consider is the complexity of your environment when determining whether to keep security in-house. Very complicated environments can be a challenge for MSSPs, especially if they have a high employee turnover rate, however they may also have a more diverse skillset to tap in to.

“It takes time to learn about complex environments, so you want to minimize repeated learning curves,” he said.

Another factor is a company’s geographic location. Is there a local talent pool for security professionals, or are they in short supply? If your organizations salaries, benefits and perks are focused on lower-level positions, it could prove a challenge to retain a security individual that is being courted by other organizations, Sjouwerman said.

Advantages to in-house security are that you have a dedicated resource that will know the ins and outs of the environment better than most MSSPs because they are immersed in it daily. “You are free to leverage the in-house security resource for any number of projects or advice that you may not want to bring an outside organization into,” Sjouwerman said.

“Ultimately, you also need to research any MSSP or direct hire before you make a step either way. These people will be the guardians of your information and will likely have a lot of access to your customer data. A company or individual with a strong track record and proven trustworthiness are critical,” he added.

Copyright © 2017 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Microsoft's very bad year for security: A timeline