The decision on whether to outsource security continues to vex decision makers. The great reluctance to cede control to a third party is counterbalanced by the rational thought that a company whose sole business is security will be more up to speed on the fast-paced nature of change than an organization whose focus is elsewhere.
Whether to use a managed security-service provider (MSSP) is a vital decision. The changing dynamics and tensions in the sector are nicely drawn out in this long InformationWeek piece. Much of the thinking is summed up on a benefit/risk chart. Benefits include expertise not available on the customer's staff and the ability to quickly meet emerging challenges. Risks include a tendency for the customer to lose touch with security once it is outsourced, choosing the wrong MSSP and residual dangers of giving up control. The author adds that MSSPs are more flexible than in the past.
MSSPs have two sets of rationales. One is on the services side: They have the expertise and will make the organization safer. The other set of reasons to use an MSSP -- and the subject of this Network World article -- is that it is cheaper. The writer provides several vignettes in which companies got what the IT department considered a higher level of security at a lower cost.
In the example that offers the most detail, the writer says one company now outsources firewall and intrusion detection system/intrusion prevention system (IDS/IPS) services to SecureWorks. If kept in house, the task would require three certified security engineers, who each earn about $90,000 annually plus benefits. SecureWorks charges half of one employee's salary for the service, the story says.
There is a distinction -- made simply in this post by the chief security officer of StillSecure -- between MSSPs and security software-as-a-service (SSaaS or SaaS, take your pick). While SSaS simply delivers security software over the Web, MSSPs run clients' security infrastructure. They are responsible for the health and safety of the client, not just sending it some software. The post was inspired by the blogger's encounter with the owner of a satellite television retailing and installation business. MSSP services, which cost the business between $500 and $1,000 a month, are, according to both the owner and the blogger, a "no-brainer."
The growing popularity of MSSPs means there are a lot of different players in the market, and they are connected to different sectors. This post, which does a good job of describing an MSSP, says MSSPs are emerging from the telecommunications and enterprise sectors. In addition, there are "boutique pure-plays." Often, the writer says, telecom companies bundle MSSP offerings with other security options and features.
Network Access Control (NAC) is a growing security discipline focused on doing such things as ensuring that the devices that join a network are authorized to do so, that their security software meets company policy and is up to date and that the device gains access only to those areas to which it is allowed. This Mirage Network blogger says NAC and MSSPs are perfectly matched. He says MSSPs that add NAC to their repertoire can be more proactive in protecting their customers.
There are two points here. One is the proposition that NAC and MSSPs are a good combination. The higher level takeaway is that companies increasingly can choose which pieces of their security is kept completely in house, which relies on SSaaS and which is outsourced to an MSSP.