• United States



by No Analyst or Consultant

Guidelines for Choosing to Outsource Security Management

Apr 21, 20056 mins
CSO and CISOData and Information Security

By Gartner Analysts

Kelly M. Kavanagh,

Mark Nicolett

and John Pescatore

Outsourcing security is not appropriate for every organization. Some organizations will be better served by deploying and running security management and monitoring solutions. Your organization should use Gartner’s Decision Framework to determine whether it is a candidate for MSSP services. It is important to be clear about your organization’s expectation of a security outsourcing engagement, and to structure a service-level agreement that reflects those expectations.

When your organization decides that it needs active monitoring and management of its security infrastructure, it must then make the build vs. buy decision. This Decision Framework defines the capability and cost aspects necessary for making informed decisions about whether sourcing the management of an IT security perimeter to a managed security services provider (MSSP) is right for your organization.

You must understand the scope and boundaries of a potential outsourcing arrangement and determine the internal resources that will be required to achieve the desired level of security capability. Sourcing decisions must be based on an analysis of required security capabilities, current operational capabilities and cost.


Security management involves the following activities:

  • Monitoring security infrastructure components such as firewalls, intrusion detection sensors and antivirus systems and analyzing the data they generate for indications of security problems
  • Ongoing configuration of the security infrastructure components
  • Prevention and remediation of security vulnerabilities and recovery from incidents
  • The scope of a typical MSSP agreement includes monitoring and analysis, and very often includes firewall and intrusion detection system (IDS) configuration and management. Prevention, remediation and recovery require the involvement of internal IT security personnel and the cooperation of IT groups outside of the security function. Because of these issues, you must evaluate internal capabilities, staffing and total cost.

Technical Expertise

If your organization does not have established internal expertise in the areas of security infrastructure monitoring/analysis and configuration, it can benefit from MSSP competency in this area. An MSSP also has the expertise to maintain firewall and IDS policies.

Using an MSSP for monitoring and configuration management does not eliminate the need for internal expertise for security infrastructure. An MSSP that has identified a new IDS filter, or has identified an exposure and a blocking policy for a firewall, must communicate with an internal resource that understands the technical implications of the change as it relates to security and your enterprise’s applications, and can make a deployment decision. Internal security expertise is also necessary to monitor the effectiveness of an MSSP.

24×7 Security Coverage

When your organization establishes a requirement for 24×7 security monitoring, it must evaluate internal and external staffing alternatives to provide it. Using an MSSP can offer the potential to avoid adding staff. The case for this is most clear cut where there are no established 24×7 operations for network management, systems management or security. If you have established 24×7 network and systems management operations, or will need this capability in the near future, then there is an option to train that internal staff to perform “Level 1” security monitoring.

Regardless of who is doing the monitoring (insource or outsource), you will need internal “Level 2” security personnel who are available (or at least on-call) to manage the security incidents that occur after normal business hours.

Allocation of Security Staff

If your organization has a shortage of skilled security practitioners, or you wish to focus your established security resources on activities such as internal investigation, root cause elimination, and security standards/process development, you can use an MSSP to offload some operational functions. Outsourcing the management and monitoring of the network perimeter reduces your need to hire, train and retain security skills for that function, and frees up existing security expertise for higher value security projects.

New Security Infrastructure

If your organization needs to acquire or upgrade firewall or IDS technology, the insource vs. outsource decision is cost-neutral because the MSSP typically manages equipment and software that is owned or leased. One area that is not cost-neutral involves IT security management – event correlation and management technology that is layered on top of firewall and IDS. MSSPs will typically use IT security management technology in their security operations center to gain economies of scale and improve the quality of service. To gain equivalent service, your security organization must make an additional investment.

Process Capability and Staffing for Prevention, Remediation and Recovery

You must evaluate established process capabilities and the internal staffing requirements for security activities that are outside the scope of infrastructure monitoring and management. Your organization will not realize the value of early identification of threats and detection of vulnerabilities or incidents if it lacks the means for quick and effective response. Maintaining or improving the overall security posture requires awareness of potential or actual security problems along with the ability to address tactical problems as they arise and process or structural problems as they become apparent. Internal processes and internal staff must be in place to leverage the security management information provided by either an outsourcer or internal security operations. It is imperative to mitigate vulnerabilities, which requires high levels of system access that are not typically granted to an outsider when system administration is performed internally. If your organization has incident response and remediation capabilities in place, it will be able to act on, and therefore benefit from, deeper and more timely knowledge of potential security incidents. If your organization does not have those capabilities, it is likely to waste money by receiving early warning of potential problems.

Outsourcing Experience

Outsourcing involves relinquishing internal control to take advantage of the efficiencies and expertise of an external service provider. Outsourcing security can feel like giving up a great deal of control. If your organization has already outsourced other operational functions such as network management, it is likely to have the internal skills needed for vendor management, for knowledge transfer to internal staff and for measuring performance. If your organization has little or no experience outsourcing IT services, it should not earn that experience by outsourcing security.

Motives for Outsourcing Security

Gartner research shows that buyers of managed security rank “improving security posture” as the most important factor in deciding to outsource. Other motives include faster responsiveness and avoiding additional hiring. Reducing current levels of spending is not a primary driver for outsourcing security functions. Similarly, for enterprises that have already outsourced security management, security posture (with vendor performance) leads the list of criteria for renewing the service. It is important to be clear about your expectations for a security outsourcing engagement, and to structure a service-level agreement that reflects those expectations.

© 2005 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.