make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

Managed Security Services: Examining the Need for an Outside Firm

12/05/2015  |  By: Jason Riddle, CISSP, President, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

According to a 2014 cyber crime report which surveyed more than 500 executives of US businesses, law enforcement services, and government agencies, 69% were concerned that cyber threats would impact their growth.

The Wisdom of Collaboration

Concern over the impacts of successful cyber attacks is widespread. Which is why it’s surprising that less than half of the respondents surveyed in Ponemon Institute’s 2013 report had a plan for responding to breach attacks. However, 82% of companies with highly effective security practices have made it a point to collaborate with other technology experts, such as the Information Sharing and Analysis Centers forums (ISACs), to better understand and deal with security and threat trends.

More secure organizations recognize that no man, or in this case, no organization, is an island. Collaborating with other organizations, partners, vendors, and agencies to mitigate cyber threats and reinforce network security programs is a smart approach.

For many organizations, working collectively to reduce cyber threats leads to the question of whether they are inclined and/or capable of assessing, developing, implementing and managing their network security program in house or whether, farming out all or some of these task to a managed security services provider (MSSP) is a better fit.

In-House or Out-Source?

So how do you know if your organization is equipped to tackle a network security program on its own? When is it best to look to an outside security firm for guidance? Below, we help you weigh each option.

The following questions can help you gauge which areas can be effectively handled in-house and which are best left to outside vendors:

  1. Do you have the manpower to oversee a robust network security program? Such a program requires 24/7 monitoring and response, (intrusion containment, patching, etc.). If you’re a small to medium sized business or start up, employing a dedicated person or team might be beyond your scope or budget. What’s more, tackling it on your own could shift the focus to the minutiae of monitoring and trying to keep pace with security threats and away from your core business. 


  1. Do you have a comprehensive security program in place, and hired a team that possesses adequate knowledge and expertise in planning, implementation and management of network security programs? As a whole, these steps can be daunting, even for those who know where to start and how to start. For many organizations, keeping up with compliance issues and new regulations can become a job in and of itself.


Then there’s the ongoing challenge of finding qualified people. For the moment, there aren’t enough security professionals to fill the available positions in the market. This shortage has put a premium on salaries for skilled security professionals, often putting them out of reach for smaller organizations. Some companies have turned to MSS providers to provide resources in the face of this talent shortage. 


  1. Does your IT team possess the highly specialized knowledge needed to handle high-maintenance security technologies, such as Security Information Event Management (SIEM)? As we’ve mentioned earlier, many organizations today tend to purchase security technology products and deploy them in a “fire and forget” manner. They expect the tools to function effectively with very little effort from their staff. As we’ve seen with the recent spate of security breaches, this simply does not work, especially for complex systems like SIEM platforms.

SIEMs are wonderful tools, and with a knowledgeable security analyst at the helm, they can provide insight into security events that would otherwise go unnoticed. However, they require a great deal of routine care and feeding to operate effectively. Because most companies don’t want to dedicate a full time resource to SIEM administration, these expensive systems will often be neglected and the expected return on investment will never be realized.

This is a perfect area to seek help from outside professionals, such as MSSPs. A MSSP can provide resources to administer the technology and then deliver the output to your team for action. This type of relationship allows your internal team to focus on running your business and delegates the more mundane and labor-intensive activities to a service provider.

  1. Does your organization understand how to ensure that your risk assessment also covers critical compliance issues with multiple frameworks and standards including NIST, HIPAA, PCI and more? Risk Analysis and Risk Management are complex activities that front-line IT staff often struggle with. If your team does not have experience performing them, an outside consultant can often save you time and money by providing a process that encompasses all of your business operations and compliance requirements in a single risk management framework. Most importantly, these are two activities that drive the rest of your information security efforts — so — it’s critical to get them right. 


  1. What is the cost benefit analysis of in house network security versus outsourcing? Your initial assumption might be that you can save money by handling it yourself; or that all outside consultants will be cost prohibitive. We recommend you analyze costs and speak with several vendors. You may discover that it is more appropriate and cost-effective to outsource. And if your organization is not experienced in network security, then you should absolutely look for a reputable outside firm to handle your security for you. Perhaps you have the manpower and expertise for some but not all security tasks. Many security providers are flexible and open to a customized, a la carte approach — perhaps just handling one or two areas for you.

You may not necessarily need an outside firm to provide a full turnkey solution. However, if you’re not sure where to begin but are committed to “getting it right the first time”, a consultation with outside security firm is
a good starting point. A thorough risk assessment, with actionable implementation steps, is well worth the associated fee, if it means you save your organization from costly breaches later. 

Check out our free guide, Breach: Network Security Best Practices for Prevention, Detection, and Response, for more information on ensuring the safest network security for your firm.

On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter @lbmcsecurity.