Most small to midsize businesses lack the resources and skills to manage an internal information security program, as well as the related technology to protect the business’ assets. While the management of the program and technologies may be outsourced, governance is the responsibility of the business owner or executives of the firm and cannot be outsourced.
The COBIT 5 framework from ISACA articulates this reality quite well as there is a distinct separation between governance and management. Governance, is the responsibility of the executives of the organization, and sets direction, policies and monitors and evaluates the results. Management on the other hand, is responsible for the planning, building, operation and monitoring of the program.
While this is not an article on COBIT 5, the framework nevertheless articulates a clear distinction. For those interested, further information on COBIT 5 may be obtained at the ISACA website by visiting www.isaca.org.
Governance requires the business owner or executive team to establish an information security program in order to protect the assets of the business. If a business has customers, then the business needs some sort of information security program. This is function which is frequently outsourced to an MSSP (Managed Security Services Provider). When selecting a provider to manage the security of the business, what should an executive team or owner consider?
MSSPs come in several flavors, each with their own advantages and disadvantages:
- Large security firms
- Boutique specialty firms
Large Security Firms:
Large security firms can be attractive and offer a sense of stability when outsourcing information security. These companies have robust security operations centers (SOCs), redundant datacenters, and threat intelligence. Companies such as Symantec, IBM, or Dell Secureworks fall into this category.
For a small business considering outsourcing information security, the standard offerings of a large firm present a price point which is affordable as well as offering a robust suite of services. The downside would be limited opportunity for customization, as small customers lack sufficient leverage to customize the services or negotiate contractual terms. Some level of added services may be available via the professional services offerings, although the hourly rate of these services can quickly add up and end up being more expensive than hiring dedicated staff. Consider a large security firm when standard service offerings meet the business needs and requirements, and little customization is required.
Telocs and ISPs offer many of the same benefits as large security firms when considering outsourcing information security management. They share many of the same features such as stable staff, redundant datacenters, and SOCs. Companies such as AT&T, Verizon, and BT fall into this category.
There are added advantages of partnering with a telco when outsourcing information security management. Packaging security services as part of an over reaching service package of cloud services can be compelling and may offer pricing advantages not available with a larger firm who strictly focuses on the security business. In addition, telcos and ISPs carry a very large portion of Internet traffic, and can leverage their threat intelligence enrichment data based upon the trends seen on their backbone networks. Such visibility enhances threat intelligence as trends can be identified and threats correlated across multiple customers.
Telcos do share some of the same downside concerns of large security firms. Namely, contracts and service offerings can be fairly rigid with little room for customization or negotiation. Consider outsourcing information security management to a telco or ISP in situations where hosting and other cloud services are also purchased.
Boutique Specialty Firms:
Outsourcing information security management to a smaller firm carries an element of risk and demands due diligence and due care be taken. Nevertheless, a smaller firm may be appropriate several reasons.
Smaller firms tend to be regional and local and can thus offer a high degree of touch and/or customization which simply does not scale with the larger providers. Contracts can also be negotiated as smaller regional firms are more motivated to win business as well as keep smaller customers.
When considering a smaller firm due care is a must. Consider such things as how long the firm has been in business, how many customers they service, redundant SOCs and datacenters, tools used, and threat intelligence. Some smaller firms actually leverage infrastructure and/or threat intelligence from larger firms yet are nimble enough to offer customized suites of services tailored to specific needs and requirements. Most importantly, demand customer references, and a visit to the facilities. Also insist on compliance requirements such as PCI certification, SSAE 16, SOC 2 and ISO 27001.
Consider a smaller boutique firm when customization and high touch are important, but do the due diligence.
There is no single, right answer to selecting a provider when outsourcing information security management; all of the choices have tradeoffs. It is up to the owner or executive team to accept the responsibility for governance of the program, and to ensure that the selected partner and suite of services are aligned with and meet the needs and objectives of the specific business.
Disclaimer: This post is not an endorsement of any firmed named herein. Named companies are merely representative of the type of offering discussed and mention only for purposes of demonstrating the points discussed.
- Ted Lloyd, CISM