Make vs. Buy: The CISO's Guide to Evaluating Managed Security Services



Some important considerations for CISOs faced with the decision of whether to tackle security initiatives in-house or outsource to a managed security service provider.

On-Premise or Managed Security Services?

At this time each year, organizations are busy with internal budget negotiations. Resource allocation is involves difficult choices within each department. It is rare for any executive, including CISOs, to get everything they want to meet their needs. Therefore, adjustments are required so that organizations can focus finite resources on their highest priorities.

For the typical CISO, many areas compete for attention. Advanced threat protection currently has a high profile. Application security and testing is, for many organizations, a regulatory requirement. BYOD proliferation adds new attack vectors. Loss of sensitive IP is always a concern, so data loss prevention will continue to be a priority. All this, while budgets remain relatively flat.

Few CISOs believe they have sufficient security resources for the growing threat environment, and applying these resources to their highest priorities is critical. Experienced CISOs will look for alternatives to achieve internal goals while managing budgets and overhead.

Security as a Service

One option is to leverage vendors to augment internal security resources. Security software offered as a managed security service allows organizations to take advantage of the product and security expertise of vendors to deploy, manage, and monitor applications. This practice can accelerate time-to-value of security investments, improve enterprise security, and reduce overhead and capital budgets.

Security as a Service is not a new concept. Organizations have used 3rd parties for IT services, including managed security providers, for years. In addition to Digital Guardian managed security services, providers such as Qualys and Veracode have offered managed security services for years, web application penetration testing is typically performed remotely, and anti-virus vendors provide personnel under “staff augmentation” programs.

When considering deploying a security solution in-house or using a managed security service provider, several factors should be considered:

Security resources and opportunity cost

The scarcest resource, even for those organizations with larger budgets, is often skilled security practitioners. These are the people who deploy, manage, and monitor security activities, and respond to incidents to minimize damage. Data security professionals are in high demand across all industries.

Deploying those resources efficiently can be difficult, and opportunity cost is often the most critical factor for organizations considering managed security services. Opportunity cost reflects the tasks or projects that will be unachievable if the organization chooses to manage a new security solution internally. Businesses with limited security resources often reason that focusing those resources on security activities that require on-site personnel is preferable to devoting those resources to activities that can be safely outsourced.

Infrastructure

We all want to benefit from the value of new purchases quickly. However, deploying new software solutions is not always simple. Internal personnel need to learn how to operate and manage the new software, stand-up servers and databases, and train users. Inevitably, deployments include unexpected delays due to the organization’s lack of familiarity with the tools.

Using a managed security service provider eliminates much of the set-up time and costs. Infrastructure changes are eliminated, and product experts take responsibility for installation, training, and rollout.

For some companies, concern for the sensitivity of security reporting data requires that the infrastructure used must remain on-premise. If running the software yourself is impractical but outsourcing the responsibility is undesirable, a hybrid model is emerging: on-premise hosting of managed security services. In this model, the vendor supplies and manages the software used in the managed security program, while the customer manages the infrastructure in their own IT environment. All data and results remain with the customer, while program management responsibilities remain with the managed security service provider. This allows organizations with IT bandwidth to securely outsource security operations to managed security providers. Up front capital expenses are minimized, and concerns about third-parties accessing sensitive data are eliminated.

Performance

A common complaint about security solutions is the difficulty in monitoring and interpreting results. Managing new software requires organizations to educate IT and security personnel about how the software works, deployment strategies, optimizing configurations, and supporting end users.

With a managed service, professional administrators and software experts manage the application, monitor alerts, support end users, and provide assistance when incidents occur. This is often available 24x7x365, relieving individual organizations from the task of recruiting, training, and managing in-house personnel.

Domain-specific expertise

We all know “power users” of specific applications; those who can make magic with Excel or Photoshop. Productivity increases with familiarity, practice, and experience. The same is true, of course, with enterprise security applications. For in-house deployments, the people running new applications must go through the same learning curve.

This learning curve is minimized in a managed service deployment. Managed security service providers use employees whose sole responsibilities are to deploy, manage, and monitor a specific application. These are experts in security and the application, who have deployed the solutions many times and can bring “lessons learned” to each new deployment. Having product experts on call to help refine rules, deploy advanced use cases, and respond to alerts or incidents results in better value, faster.

What security controls does the vendor have in place?

Few organizations want their sensitive security information to travel outside of their networks. However, with the exception of hybrid managed security service offerings, data must leave the premises for processing and evaluation. Ideally, the managed security service provider obfuscates data in a way that allows effective analysis without the possibility of revealing weaknesses if others view the information.

Managed security service providers need not host servers themselves, for the same reason that organizations need not manage their own solutions. Specialization allows these hosting facilities to offer superior services at a lower marginal cost. Many hosting facilities meet SSAE-16 (née SAS-70) with man-traps, caged servers, and redundant connectivity. Factors that are more important include how the vendor qualifies its personnel, including experience, training, and background checks.

Getting started

Using a managed security service provider requires careful consideration, and the “right” answer will vary by organization. For organizations with available bandwidth and resources, or with previous experience running the application in question, an on-premise deployment makes sense.

On the other hand, if faster value, lower IT overhead, and additional security expertise are part of your needs, a managed service (or hybrid managed services) offering can help.

Mike Pittenger

Customer Spotlight: Deploying a Data Protection Program in Less Than 120 Days

Michael Ring, IT Security Architect at Jabil Circuit shares how they deployed Digital Guardian to over 40,000 users in less than 120 days. Watch the webinar on demand now.

Watch Now

Related Articles
What is a SaaS Company?

Learn about what a Software as a Service, or SaaS, company is and why it may make sense for your organization in this week’s Data Protection 101, our series on the fundamentals of information security.

What are Managed Security Services? Why Organizations Hire Managed Security Service Providers

More organizations are turning to managed security services to gain security expertise and lessen the workload of their in-house security staff. Learn more about this option in Data Protection 101, our series on the fundamentals of information security.

How to Hire & Evaluate Managed Security Service Providers (MSSPs)

We asked a panel of data security professionals to provide expert recommendations for hiring MSSPs. See what the experts had to say.

Mike Pittenger

Mike Pittenger is vice president, security strategy at Black Duck Software. Mike has over 30 years of technology business experience, including over 15 in application security. He was a co-founder of Veracode and led the product divisions of @stake and Cigital. He can be reached at mwpittenger [at] caddisadvisors.com.

Please post your comments here