Should we be surprised that roughly one in five managed security service programs fail?
No.
During a breakout session at last week's Interop IT Expo and Conference in Las Vegas, Jay Leek, global manager of corporate IT security at Nokia, noted that the failures of managed security service programs are often attributed to an improper selection of activities to be outsourced to an improperly selected provider.
It might be counterintuitive to some that your organization should only outsource routine processes that you know inside and out. If your organization can't define the problem, the inputs, the outputs, and measure the results, there is little chance you will be able to communicate what you need and then know if your outsourced partner is providing a solution that addresses your needs. It is easy to see how one in five organizations could make this mistake.
There are many factors involved in making the decision to outsource some or all of your security operations. As with any project, the first step toward being successful is to identify the problem you are trying to solve and tying that to the desired outcome. This initial step does not change - nor get eliminated - simply because there are alternate paths available. Deflecting the problem and giving it to someone else to manage does not let you off the hook.
Define the wrong outcome, the wrong plan, or make the wrong decision on which service provider to use, and your organization could find itself alongside the other nearly 20 percent of managed security services programs that fail. The typical causes of failure include improper implementations, a lack of communication, and various cultural differences (country, language, or corporate).
To avoid some of the risk of failure, before you begin, you should confirm that the activity to be outsourced is routine in nature, includes well-defined actions and tasks, contains very specific inputs/outputs, and can be regularly measured to determine how well the service is performing against your IT security objectives.
Attack and intrusion monitoring is a great example of a very well-defined activity that is commonly outsourced.
The exceptions to this would be highly-specialized activities that occur so infrequently and/or that require such extreme in-depth knowledge from a set of highly-qualified experts that it wouldn't make sense to keep people on as full-time staff. Post-attack forensic services, for example.
During his session at Interop, Leek warned that organizations should never outsource the management layer that oversees their managed security program. Organizations oftentimes think that they can offload the complete program, end-to-end, in hopes of transferring complete ownership, risk, and even liability to the service provider. It doesn't work that way.
Implementing a model that offloads everything to the provider would be a huge mistake. If you decide to do this, you probably don't realize that, while the they can commit to service-level agreements (SLAs), the managed service providers really can't make any guarantees that your organization, its network, and the data running through it will be secure at all times.
Your organization still owns the problem – and the associated liability. You can't outsource that.
Turning to the business end of things, making the decision to outsource is typically driven by the need to provide increased service levels - such as 24x7 support - and/or to reduce staffing costs such as allocating the staff to different IT projects.One such case of widespread investment in managed security services can be found in the troubled automotive industry looking to reduce costs through international managed service implementations.
Rather than building and monitoring connections to manufacturing partners between the United States and Europe, some automotive suppliers have chosen to outsource their connection to multiple business-to-business partners using a common private network. For example, through the ANX managed services network connection to the European Network Exchange (ENX), suppliers in North America can securely collaborate with suppliers and manufacturers in Europe.
Once the decision has been made to outsource, deciding on which provider to partner with takes both time and money. Even with what could be a six-figure investment in the research, selection, acquisition, and implementation of a managed security services program for an organization, the benefits can easily outweigh the costs if implemented properly.
However, as Leek noted in his session by drawing from his own experience with Nokia, the benefits that can be achieved are not marginal at all. In fact, the return has been very significant. It is absolutely worth the investment to get this right.
To get this right, a proper project plan is required that incorporates the standard components of a needs-driven request for information, real-world lab tests, and customer references that can be called upon.
For the short-list of providers, review their financials and consider physically visiting their offices. Sometimes, the in-person review of their team, ranging from engineering to management, could expose a very different view of the company, their processes, and their ability to support your organization, as compared to the fancy marketing materials they provide.
While you can expect the managed service provider to deliver the service, it is important for you to remember that your organization remains in control. The requirements, policy definitions, SLAs, and other intricate details of the contract need to line up properly with your organization's operations.If the details don't line up well, and you find you are adjusting the provider's baseline contract too much in order to meet your needs, it is probably time to select a different vendor that better matches your business requirements and IT processes.
IT security outsourcing requires that organizations know what they are asking their service provider to do for them, while maintaining control and ownership over the program. So, sorry folks – while there are numerous benefits in using a managed security service provider, one of them is not transferring the responsibility and liability to the provider.
Yes, it's still YOUR problem. Define and choose wisely.
Sean Martin, founder of imsmartin consulting, can be reached at [email protected]