Outsourcing security is not appropriate for every organisation. Some organisations will be better served by deploying and running security management and monitoring solutions. Your organisation should use Gartner's Decision Framework to determine whether it is a candidate for managed security services provider (MSSP) services. It is important to be clear about your organisation's expectation of a security outsourcing engagement, and to structure a service-level agreement that reflects those expectations.
IntroductionWhen your organisation decides that it needs active monitoring and management of its security infrastructure, it must then make the build vs. buy decision. This Decision Framework defines the capability and cost aspects necessary for making informed decisions about whether sourcing the management of an IT security perimeter to a MSSP is right for your organisation.
You must understand the scope and boundaries of a potential outsourcing arrangement and determine the internal resources that will be required to achieve the desired level of security capability. Sourcing decisions must be based on an analysis of required security capabilities, current operational capabilities and cost.
ScopeSecurity management involves the following activities:
—Monitoring security infrastructure components such as firewalls, intrusion detection sensors and antivirus systems and analysing the data they generate for indications of security problems
—Ongoing configuration of the security infrastructure components
—Prevention and remediation of security vulnerabilities and recovery from incidents:
The scope of a typical MSSP agreement includes monitoring and analysis, and very often includes firewall and intrusion detection system (IDS) configuration and management. Prevention, remediation and recovery require the involvement of internal IT security personnel and the cooperation of IT groups outside of the security function. Because of these issues, you must evaluate internal capabilities, staffing and total cost.
Technical ExpertiseIf your organisation does not have established internal expertise in the areas of security infrastructure monitoring/analysis and configuration, it can benefit from MSSP competency in this area. An MSSP also has the expertise to maintain firewall and IDS policies.
Using an MSSP for monitoring and configuration management does not eliminate the need for internal expertise for security infrastructure. An MSSP that has identified a new IDS filter, or has identified an exposure and a blocking policy for a firewall, must communicate with an internal resource that understands the technical implications of the change as it relates to security and your enterprise's applications, and can make a deployment decision. Internal security expertise is also necessary to monitor the effectiveness of an MSSP.
24x7 Security CoverageWhen your organisation establishes a requirement for 24x7 security monitoring, it must evaluate internal and external staffing alternatives to provide it. Using an MSSP can offer the potential to avoid adding staff. The case for this is most clear cut where there are no established 24x7 operations for network management, systems management or security. If you have established 24x7 network and systems management operations, or will need this capability in the near future, then there is an option to train that internal staff to perform "Level 1" security monitoring.
Regardless of who is doing the monitoring (insource or outsource), you will need internal "Level 2" security personnel who are available (or at least on-call) to manage the security incidents that occur after normal business hours.
Allocation of Security StaffIf your organisation has a shortage of skilled security practitioners, or you wish to focus your established security resources on activities such as internal investigation, root cause elimination, and security standards/process development, you can use an MSSP to offload some operational functions. Outsourcing the management and monitoring of the network perimeter reduces your need to hire, train and retain security skills for that function, and frees up existing security expertise for higher value security projects.
New Security InfrastructureIf your organisation needs to acquire or upgrade firewall or IDS technology, the insource vs. outsource decision is cost-neutral because the MSSP typically manages equipment and software that is owned or leased. One area that is not cost-neutral involves IT security management-event correlation and management technology that is layered on top of firewall and IDS. MSSPs will typically use IT security management technology in their security operations centre to gain economies of scale and improve the quality of service. To gain equivalent service, your security organisation must make an additional investment.
Process Capability and Staffing for Prevention, Remediation and RecoveryYou must evaluate established process capabilities and the internal staffing requirements for security activities that are outside the scope of infrastructure monitoring and management. Your organisation will not realise the value of early identification of threats and detection of vulnerabilities or incidents if it lacks the means for quick and effective response. Maintaining or improving the overall security posture requires awareness of potential or actual security problems along with the ability to address tactical problems as they arise and process or structural problems as they become apparent. Internal processes and internal staff must be in place to leverage the security management information provided by either an outsourcer or internal security operations.
It is imperative to mitigate vulnerabilities, which requires high levels of system access that are not typically granted to an outsider when system administration is performed internally. If your organisation has incident response and remediation capabilities in place, it will be able to act on, and therefore benefit from, deeper and more timely knowledge of potential security incidents. If your organisation does not have those capabilities, it is likely to waste money by receiving early warning of potential problems.