A growing number of small and medium sized businesses (SMBs) are turning to managed security services to protect their networks, systems and information. Using managed services can be a sensible strategy for companies that have limited security staff and resources—and it gives them access to expertise they don't have in-house. Managed services are “both appropriate and highly appealing, because SMBs are faced with more complex requirements than ever,” including regulatory compliance and changing IT dynamics such as mobility, external collaboration, virtualization and cloud computing, says Jonathan Penn, vice president at Forrester Research Inc. in Cambridge Mass. “These are some general trends that were occurring before the recession,” Penn says. “The recession has merely served to accelerate the recognition that the operational aspects and skill [sets] around many security tasks are not strategic to SMBs.” Managed security services are set to grow among SMBs, driven mostly by skill needs and cost savings, according to a Forrester report on the state of security at SMBs in North America and Europe, released in December 2008. Other top drivers include reducing complexity and the desire for continuous security coverage.
Security as a managed service
SMBs adopt managed security services for added competancy and cost savings
What is your primary driver for using a managed security service provider (MSSP)?
|Increase competancy (specialized skill set)||31%|
|Because the rest of the IT environment is outsourced||5%|
|None of the above||3%|
Source: Forrester Research's State of SMB IT Security, 2008-2009Base: 685 North American and European SMB IT security sourcing and services decision makers (Percentages do not total 100 due to rounding)
IT and security managers at SMBs that have deployed the services say success depends a great deal on how well companies choose their partners and oversee the relationship on an ongoing basis. Here are some tips on how best to select and govern managed security services, from those at SMBs who are using these services. Don't underemphasize vendor selection A key to success, as with other types of outsourcing endeavors, is finding the right partner that meets the specific needs of the client. Dozens of companies offer managed security services, and finding the right fit takes some work. Paymetric Inc., a Houston-based provider of electronic payment processing services for enterprise resource planning systems with under 100 employees, conducted extensive reviews of managed services, including scouring reports in security publications and by research firms such as Gartner Inc., before selecting a service from Cenzic Inc. Paymetric uses the Cenzic service for Web application vulnerability assessment, network monitoring, regulatory compliance assessment and penetration testing, functions the company does not have the skills to perform on its own, says Genady Vishnevetsky, director of IT operations and security. A broad service portfolio was an important characteristic that Paymetric looked for in a partner, but Vishnevetsky says it's critical to not just evaluate which services a provider offers and the cost of the services. “Look at the longevity of the company; how long has it been in business and what is its business model?” he says. If the provider runs into financial trouble or gets acquired, that could have a negative impact on vital security services. Vishnevetsky also examined the technical support capabilities of the service providers, calling their tech support departments and posing as a customer or potential customer to see how they respond. “We did a long due diligence process, and we haven't had a major problem” with the service, he says. If feasible, use one security service provider rather than multiple vendors Yes, sometimes it's best to hire more than one specialist to cover different facets of security. But having multiple contracts is going to cost you more in the long run, says Kimberly Scarlett, executive vice president and chief operations officer at Broward Bank of Commerce, a Fort Lauderdale, Fla., bank that launched operations earlier this year. The bank, which has 12 employees and no formal IT staff, uses services from InfoSight Inc. to manage security of its network and ensure regulatory compliance. Scarlett hired InfoSight to handle security for the bank largely because she had prior experience using the company's service while working at another bank. InfoSight provides services such as content management, email encryption and compliance reporting. By using the services from InfoSight, Broward avoided having to hire people to oversee regulatory compliance, manage a firewall, run an intrusion detection system and perform other security functions. With the service, the bank has experts continuously monitoring its network, an absolute necessity for a bank that does much of its business via the Internet. In her previous position at another bank, Scarlett used multiple service providers for security, including InfoSight, and the strategy ended up costing the bank more than if it had hired one company that's expert in a variety of security disciplines. “I should have put everything under one umbrella; it's much more cost effective to have one annual service contract,” Scarlett says. She estimates that Broward is saving about $50,000 a year by using a turnkey service from InfoSight compared with hiring multiple vendors. Make sure the contract has service level agreements (SLAs) that meet company needs “Customers should focus on combining structured vendor management practices with strong SLAs—with associated penalties and credits—to deal with the challenges of quality,” Penn says. SMBs should incorporate liability provisions into SLAs and contracts, “but don't expect to outsource business risk,” Penn says. “Liability is best transferred through committed [SLAs] in outsourcing contracts, because the expectations of both parties, and the consequences for nonattainment, are detailed within SLA structures.” Contracts can also be used to transfer liability via specific requirements, such as background checks on employees, Penn says. “Fortunately, as the outsourcing market has become more competitive, outsourcers are more willing to assume liability and responsibility for their actions,” he says. Still, companies must be aware that the topic of liability is likely to be one of the most contentious areas of contract negotiations, Penn says. Ensure that non-planned service disruption response and cost is understood and in writing Todobebe, a Spanish-language family entertainment company based in Miami Beach, Fla., uses a variety of service providers to handle security, network management and other functions. In 2008, a major storm knocked out the company's network. Since the service disruption was classified as an “act of God”, Todobebe ended up incurring out-of-pocket costs to restore service, says David Reckles, chief technology officer. The service provider, which troubleshoots the network and provides a virtual private network for secure links, charged a service fee to get the network back online. “We didn't realize the exposure we had” in terms of additional fees, Reckles says. Companies “might not be able to avoid this risk, but it should be clearly understood before you finalize the [contract],” Reckles says. Don't be afraid to share company information in order to ensure robust security It might go against instinct, especially for small, private companies, but it's best to give the service provider lots of detail about existing IT infrastructure and applications in use. “When using a security services provider, it is very important that you give them all the information that you possibly can about your existing system and what changes you feel you will need to make,” says Alan Atwood, vice president of the supermarket chain Pay Less Super Markets Inc. IGA in Coeburn, Va. “The more you give them on the front end, the easier it makes the job.” For example, when Pay Less hired Secure Design Inc. to help it achieve Payment Card Industry (PCI) compliance and for other security services, Atwood gave the service provider a schematic of the 125-employee company's entire network. “Once they could see exactly how the grocery, gas, office, etc., was laid out, it made a little more sense as to how we needed things done from a security standpoint,” he says. Have a clear exit strategy Security and IT managers must minimize risk by carefully reviewing the service contract to ensure that there's a way out if the service provider isn't meeting company expectations or delivering as promised. “You could end up with a [service] you didn't anticipate; a lot of things can go wrong,” Vishnevetsky says. For example, a vendor might not deliver on expected upgrades, or upgrades might not deliver on promised functionality. “'Good' contracts will have a clause for exiting the contract in case of repetitive violations of SLA,” Vishnevetsky says. “Service delivery is more complex and can be easily diluted, misrepresented or purposely mislead during the sales cycle. That is why [clauses] for violating service delivery are important in contracts.”