Too important not to leave to outside experts

The use of managed security service providers (MSSPs) – that is, outsourcing security to a specialist third party – is growing. Researchers Forrester estimate it is growing at between 30 per cent and 40 per cent a year.

“Chief information security officers (CISOs) increasingly trust MSSPs to advise them in top security decisions and act as strategic -partners,” says Forrester.

Gavan Egan, vice president sales at Verizon, one of the world’s leading MSSPs, says: “Traditionally, financial services and government have been the main adopters of MSS. But as the cyber threat increases and grows in complexity, an increasing number of organisations, large and small, are beginning to outsource their security.”

It is a service that has grown out of consultancy, says John Yeo of Trustwave, another major MSSP. “We realised that many of our clients simply don’t have the expertise to implement what we recommend,” he explains. The solution is for consultancy to evolve into service, providing and managing security for the client.

Using a specialist third party allows business to achieve the security it needs at a cost it can afford

This fulfils the primary argument for outsourcing security management: more expertise for less cost.

The challenge is that security is no longer a case of installing anti-virus software and hiding the network behind a firewall. Security experts need to be expert in both the entire IT infrastructure and an ever-evolving and worsening threat landscape. Such people are hard to find and even harder to afford. Using a specialist third party allows business to achieve the security it needs at a cost it can afford.

But nothing is ever as simple as it seems. Part of the complexity of security is that its requirements are interwoven with the business. It is not just hardware, it is business processes and structures, staff and attitudes, and it is data, wherever, however and whenever that data is stored, locally or in the cloud. To understand and protect a business, an MSSP needs to be intimately associated with that business and its processes.

The logical extension of this particular argument is that may be a company should not merely outsource its security management, but its entire IT management. If it is difficult to separate security from the overall IT infrastructure, perhaps we should not attempt to do so.

This is the approach offered by managed services companies such as Managed Networks. Chief executive Ben Rapp, a security specialist in his own right, suggests that as well as providing advice from full-time specialists, it offers technical scale and resilience, with companies that use his cloud platform being protected by far more security than they could justify alone. He adds: “More philosophically, it’s all to do with core competency.”

Core competency is the second argument for outsourcing. Business is good at doing business, but security is rarely a part of that business; in fact, security is a diversion. It is, however, the core competency of MSSPs, whether they provide just security or complete IT infrastructure management. Mr Rapp argues strongly that outsourcing IT and security management allows companies to concentrate on their own core competency, which in turn leads to a more competitive and profitable business.