Managed security services providers (MSSPs) are dead.
Swept up in the hype of the dot-com era, in hindsight the notion of outsourced security seems as oxymoronic as military intelligence. Telenesius, Exodus, DefendNet, Securify and Genuity all failed to capture the imagination of security and IT professionals who knew they were vulnerable but did not know what to do about it.
There's only one problem with the above assertion - if MSSPs are such a dumb idea, why is all the smart money chasing them? The Donald Rumsfelds of the security world are quietly putting millions into managed security services. Symantec recently spent over $100 million to purchase Riptech, a not quite profitable but nevertheless impressive MSSP in Virginia, U.S. Symantec is combining Riptech with several in-house managed service centers to create a truly global presence. Combined with its acquisition of SecurityFocus (another $100 million deal) for "early warning" virus outbreak and intrusion information, Symantec now has a world-class global response network. IBM has been quietly building a managed security service presence as part of its Global Services organization, a $10 billion juggernaut that is widely influential in determining how corporate IT dollars are spent. AT&T is coming at it from a business continuity and network services perspective. Soon, other major IT services players like EDS and Computer Sciences Corporation will be jumping on the MSSP bandwagon.
Why? The conventional wisdom is that security is too precious to outsource. Hogwash. The idea of security as a strategic asset is nice, but the reality of security practices at most corporations is quite different. Stretched thin, the rank and file security professional spends most of his or her time poring over log files in the wake of the most recent breach, trying to piece together a story for management as to what happened 'this time.' Alternatively, how does a 16-hour day spent downloading patches and coordinating their release with IT sound? Not very strategic. How companies use security information, not how it is collected and analyzed, will be the best indicator of the strategic value of security. Unfortunately most companies are spending far too much time collecting and analyzing security information or responding to the latest virus outbreak to do anything strategic with security.
Outsourcing the mundane aspects of security policy enforcement has additional benefits. First, it creates a de facto benchmark for security best practices, without the need for exhaustive comparative studies within and across industry segments. Second, outsourcing creates built-in cost justification, the elusive "security return on investment." The outsourcing value proposition is inherently an ROI argument - if the MSSP cannot provide an equivalent level of security far cheaper than a corporation can on its own, it's a no go.
Unfortunately most cost comparisons confuse the apples for oranges by showing how much cheaper it would be to build an equivalent hardened data center with all the equipment and technical staff - not the point. The real cost benefit is either reducing the number of security staff required for a given task or freeing up the staff to work on more strategic projects. Finally, the MSSP has a built-in incentive to constantly raise the bar on the level of security that it provides its customers. It's simple economics - a greater concentration of security capability can be spread among a wider base of security companies, lowering the average cost of security utility and/or creating a tiered pricing opportunity for different levels of service.
So what types of managed security services will become increasingly popular? Clearly, the need for monitoring firewall and intrusion detection logs and maintaining configuration file information will not diminish anytime soon. Anti-virus will also grow in popularity as companies determine that the best way to deal with email-borne viruses is to keep them out of the corporation completely. Security policy enforcement, such as preventing MP3 downloads and ensuring privacy compliance, will eventually catch on as users and management get comfortable with its "Big Brother" aspects.
What will probably not catch on in any significant way is secure web hosting. Security in web hosting is a given these days, included in the value proposition for hosting in general. The same is true for vulnerability assessment - it's no longer sufficient to uncover what the vulnerabilities are; a plan must now be in place to reduce or eliminate them entirely. Other security services like VPN remote access and digital certificate issuance and revocation will find their niche as well. XML security services, in particular syntax checking and corporate security compliance checking for trading partners, is another interesting outsourcing idea. Identity management is also a candidate for outsourcing since it typically requires a disproportionate level of effort to maintain in-house. Access360, which was recently acquired by IBM Tivoli, has a fledgling outsourced identity management service. It will be interesting to see if and how this gets picked up and used in the acquisition.
For end-users evaluating whether or not to outsource part or all of your security, ask the following questions:
- How are my security and IT professionals spending their time today? If most of it is on 'tactical' routine tasks, then an opportunity may exist to free up some critical resources by outsourcing those functions.
- How stable and forward thinking is my business? If your management's idea of long-term strategic planning is what to have for lunch tomorrow then you may not be ready to outsource. Finding the right outsourcer and negotiating an agreement takes time, and your security needs will probably change as quickly as your business does.
- How much money do I have? Don't expect the cost savings to roll in immediately. The real cost advantage will come from the more strategic deployment of existing resources or the cost avoidance of having to hire more security staff as your needs grow.
In conclusion, MSSPs are not for everyone, but they are right for those who want to take a more strategic view of security. And that is what has the smart money followers sitting up and taking notice.
Robert Lonadier is the president of RCL & Associates, a Boston-based analyst and consulting firm specializing in providing implementation-ready counsel and advocacy services to senior management in information security. He can be reached firstname.lastname@example.org.