I have always been intrigued by companies that outsource their IT security function. To me, it's like giving away the keys to the kingdom. But, like anything else, you can easily make an argument for or against it. I recently had the opportunity to talk to Don Gray, Chief Security Strategist for Solutionary, an information security company that delivers a wide range of managed security solutions.
First, I asked Don if business was up or down. Don indicated that the Managed Security Service Provider (MSSP) business was up in general. His thoughts were that it was up because compliance was putting an additional burden on security departments and they looked to outsourcers to pick up that extra load.
In a post by IT Business Edge blogger Susan Hall on the outsourcing industry, Susan writes that outsourcing as a whole was down 7.5 percent from the first quarter. It's nice to see some "green shoots" in technology and that they are coming from the security industry.
Don also noted an interesting trend; clients are asking for very detailed information about where attacks are coming from. He noted that his company has a health care client that asks for the user ID and IP address of the attacker, if Solutionary detects an internal attack. In addition, the client wants to know the gender of the attacker, the department they work for and, if they accessed a patient file, the patient ID and profile. Don felt that all of this information could be derived from Active Directory and a patient database.
I asked Don what other things clients are asking for. He said that clients want to know where attacks are coming from geographically. They want to know specifically what country an attack is being launched from and they want to know what type of traffic is traversing their network.
Finally, I asked Don what three suggestions he could give to improve an organization's security. Don gave the following:
After talking with Don, my takeaway is that security outsourcing is more like sharing the keys to the kingdom, or sharing responsibility for security. I think for SMEs that do not have the in-house expertise, a business can be built to show that it makes sense. It can also make sense for large organizations to use an MSSP for specific project work when their internal people are busy with other core work.