There are many advantages for an organization to outsource its network security to a managed service, but it basically boils down to increased cost-effectiveness and how a managed service allows an IT department to operate without in-depth understanding of the various security functions, such as:
- Gateway protection, including managed services for firewalls, intrusion detection and prevention (IDP) and virtual private networks;
- Security monitoring;
- Incident management, including emergency response and forensic analysis;
- Vulnerability assessment and penetration testing; and
- Anti-virus, anti-spam and content filtering.
Partnering with a managed security service (MSS) is also a sound solution for transferring information security responsibility and operations. Although the organization still owns information security risk and business risk, contracting with an MSS allows it to share risk management and mitigation approaches.
By engaging an MSS, an organization improves security without increasing costs. Outsourcing enables it to:
- Free up resources to be used for other mission-critical purposes;
- Maintain operational flexibility by allowing peak requirements to be met while avoiding the cost of hiring new staff;
- Obtain current technology or capability that would otherwise have to be hired or acquired by retraining, at a potentially very high cost;
- Avoid infrastructure obsolescence by giving the responsibility for technical currency to someone else; and
- Control operating costs, or turn fixed costs into variable ones, through the use of predictable fees.
The cost of using an MSS is typically less than hiring in-house, full-time security experts, who are needed even when the organization owns a unified threat management (UTM) appliance, an all-in-one device that greatly simplifies the network security architecture. Managing a UTM device, though, is still a complex undertaking and requires considerable expertise. The in-house administrator would need in-depth understanding of networking and routing; know the firewall language and understand firewall security; and know how to configure the IDP, the anti-virus and the policies, the proxy, the anti-spam, and the content filtering. Each of these tasks is a job unto itself, and an MSS, with its experienced network operation personnel, is best equipped to manage the UTM appliance it might provide.
Moreover, a shortage of qualified information security personnel puts tremendous pressure on IT departments to recruit, train, compensate and retain these critical but costly specialists. When outsourcing, however, the costs to hire and train highly skilled staff becomes the responsibility of the MSS, who is likely to retain security experts by offering a range of career opportunities and positions from entry level to senior management – all within the information security field. In addition, if a client organization can outsource repetitive security monitoring and protection functions, it can then focus internal resources on other important business initiatives.
In another scenario, an in-house staff member who deals with network security only on a part-time basis, or sees only a limited number of security incidents, is probably not as competent as someone who is doing the same work full-time, seeing security impacts across several different clients, and crafting security solutions with broader applicability. MSS providers have insight into security situations based on extensive experience – dealing with hundreds or thousands of potentially threatening situations every day. They can also enhance security simply because of their facilities; many MSS providers have special security operations centers located in various parts of the globe – physically fortified sites with state-of-the-art infrastructure managed by trained personnel.
It is also difficult for an organization that’s not in the security business to track and address all potential threats and vulnerabilities. An MSS is often able to obtain advance warning of new vulnerabilities and gain early access to information on countermeasures. Additionally, its security monitoring function can report near real-time results 24/7, whereas an in-house security monitoring service might only operate during normal business hours.
Further, an MSS can advise on how other clients handle the same types of security problems and is likely to have contact with highly qualified and specialized international security experts, as well as with other MSS providers. These resources can be brought to bear to diagnose and resolve client issues. On a related subject, an organization might have no enterprise-wide security management strategy, so moving security to an MSS could help simplify and strengthen the organization’s security posture with an integrated, more coherent solution that eliminates redundant effort, hardware and software.
Finally, it’s important to note that MSS providers can be held accountable for the service standards they provide. They guarantee service levels and assure their availability, because failing to do so can have financial repercussions for them. Their operational procedures are designed to ensure uninterrupted service availability. Also, if supplying a UTM, or some other system, it is the responsibility of the MSS to upgrade software and hardware and to maintain a secure network configuration. Because of all these strict contractual obligations to their clients and the need to maintain their reputation in the marketplace, providers of managed security services have control procedures in place that are generally both well documented and carefully enforced.