The ever-present workforce shortage in cybersecurity, coupled with an evolving threat landscape, has led an increasing number of organizations toward managed security service providers (MSSPs). Small to medium-sized enterprises (SMEs) in particular are using more services of MSSPs to help protect the organization.
Yet, this isn't a "throw it over the fence" option. Using a service provider does not absolve an enterprise from its responsibilities to the data and systems it must protect. Risks must be continually assessed and security controls put in place to address those risks, whether the controls are delivered internally or externally.
Small to medium-sized enterprises (SMEs) use managed security services in large numbers, having been hit very hard by the combination of compliance demands, cyberthreat landscape, and workforce shortage. Small, harassed, generalist IT teams are responsible for security with few – if any – dedicated security staff.
As such, SMEs are hungry for security advice and effective support, but don't often receive this support from service providers.
There is no specific "starting point" for using managed security services. Some organizations may have a security product that is coming to end-of-life, and using an external provider is a preferred option. Others might have identified a particular risk and the only way of providing at least some of the required security controls is via a service provider.
Security service providers are not all made equal. Security is not a product, and organizations should steer clear of service providers offering one or a combination of products (often antivirus for SMEs). Instead, focus on those providers with expertise in your particular area – perhaps vertical, and/or company size – that understand your business. Look for providers that deliver integrated managed security services, giving your organization the option to expand its use of managed services if required.
Invariably, service providers will offer a series of certifications to demonstrate their capabilities around security. When choosing a provider, decide which are applicable to your enterprise and have these as table stakes. Additionally, ensure contractual service level agreements (SLAs) are available so your organization receives the service it is expecting.
It is also key to have an agreement about who is responsible for what, and when – for example, how frequently will the service provider undertake scanning and patching, how will your organization be informed, and how quickly can a change to a firewall be applied? These are all part of the regular interactions with an MSSP.
Regular reporting against SLAs and other metrics on a security scorecard can help customers of security service providers have a level of assurance that requirements are being met. As with any contract, the power lies with the customer before the agreement is signed, so decide what you want up front and stick out for it.
This article was originally written for Computer Weekly, published in July 2018.
"Symantec’s internet security threat report should serve as a wake-up call," IT0003-000132 (April 2018)
"Enterprise ICT Spend and Staffing Metrics EMEA and Asia-Pacific/Americas," PT0039-000007/8 (February 2018)
Maxine Holt, Research Director, Infrastructure Solutions