'Is it inherently insecure to let someone else handle your own security?' mused an October 2007 report by Forrester Research.
Not if a reputable firm can do the job better and for fewer greenbacks than you can, experts say.
In today's marketplace, your company must meet a dizzying number of compliance regulations, with acronyms to match, if you store your customers' personal or financial information. Everything from the Payment Card Industry Data Security Standard (PCI DSS) to the Gramm-Leach-Bliley Act (GLBA) to Health Insurance Portability and Accountability Act (HIPAA) requirements. High-profile cases of laptops containing such data being stolen have added to the angst.
Meanwhile, many smaller businesses just don't have the manpower to handle these added security concerns. 'You might have someone on-site who can put in a firewall or a VPN [virtual private network] gateway, and then forgets about it,' warns Guy Fardone, chief operating officer and general manager with Wayne, Pa.-based Evolve IP, a managed security and compliance services firm. 'So no one is looking at it, and no one is updating it…they never inspect it.' As a result, there is no threat detection and the system is at risk, he says.
Does this sound familiar?
Providers come in several flavors
If it does, hiring a managed security services provider (MSSP) may be the solution. They can step in and install and manage firewalls, VPNs, vulnerability management, Web filtering and anti-spam, security intelligence services, and wireless and mobile functions. According to the Forrester report, there are several types of these providers, including:
- Managed services specialists, such as Evolve IP, SecureWorks, and Solutionary;
- Security product or service vendors, including VeriSign, McAfee, MessageLabs, and Google's Postini, which offer either security services or products;
- Telcos and managed services providers, such as Verizon Business, AT&T, and Sprint now offer some of these services.
Which type of MSSP should you choose? That, experts say, depends on how extensive your needs are. For example, do you need consulting, hardware, and services, or only some of these? Telcos do not provide compliance consulting, 'but if requirement number one for PCI [compliance] is that you need a firewall, you can get one through a telco,' notes Doug Barbin, director of product management with Mountain View, Calif.-based VeriSign. VeriSign, which offers a full range of MSS products and services to enterprise customers, currently services the small business market only through telco partners such as AT&T, Barbin says. Other service vendors may cover specific security needs (for example, MessageLabs offers email protection and archiving services) but not a full range of service.
A so-called pure-play MSSP, such as SecureWorks or Evolve IP, can provide a wide range security and compliance systems and consulting, notes Evolve IP's Fardone. The cost can start at $100/month for a managed firewall and run over $1,000/month for a threat detection service, but is still 'cheaper than hiring someone,' he says.
Choose wisely and get everything in writing
The next big question: whom to choose? 'Like choosing a doctor, the customer's lack of specified knowledge in the field makes trust an essential issue,' the Forrester report notes. Many companies tend to rely on word of mouth.
Whomever you choose, make sure the service-level agreement (SLA) you draw up with the company is crystal clear and is done with legal help. This IncTechnology article on avoiding security pitfalls with subcontractors can help. Experts recommend that the SLA includes enforcement rights, consequences, and a policy about how sensitive data will be destroyed after use.
After all, a good security agreement with the correct firm can save you time, money -- and your bottom line.