Security is an ever-growing concern for data centers, but companies facing tight budgets or lacking the in-house skills needed to implement strong security may have difficulty implementing the necessary measures to protect their data centers. In such cases, however, there is an alternative: outsourcing of security management to a partner company. These partners, often called managed security service providers (MSSPs), can handle a range of security tasks, freeing a company’s staff for more vital business efforts. Because security is such a critical area, however, making the right choice of a security partner is important for a variety of reasons, including budget, company reputation, protection of company and customer data, and so on.
Although outsourcing has a bad rap, most companies do it in one respect or another. Outsourcing is a legitimate way to let other professionals do what your company might not have the time or skills to do, thus enabling you to focus on your core business. Security may well be one of those areas. If your company operates a data center, you will face security threats—both physical and virtual—that you must be prepared to fend off. Security breaches can damage not only your profitability, but also your reputation, and they can even land you in hot water with regulatory agencies and other authorities.
Deciding whether to outsource, as with any business decision, is a matter of weighing the costs and benefits. If you lack the in-house personnel and the requisite available capital to implement your own full-fledged security program, a security partner may be the right choice. Ideally, a managed security service provider offers expertise in implementing the right security measures for your situation, knowledge of the latest threats and the ability to choose and help implement the right security strategy within your allotted budget.
Not every situation is amenable to bringing in a managed security service provider, however. For instance, if your company needs—or simply prefers—to keep data and other information purely within company bounds, then obviously a security partner is out. Alternatively, you may simply determine that it’s worth your investment to pursue employee training and other means to establish in-house security expertise.
Tips on Selecting a Security Partner
If you do decide to take the outsourcing route with regard to security, then you’ll need to shop around to find the right security partner. ComputerWeekly (“Security considerations when selecting a managed security service provider (MSSP)”) notes, “While outsourcing relieves the burden of managing these systems in-house, if there is a security breach the burden of responsibility still lies within your own organization. It is therefore vital to investigate and conduct thorough due diligence of an MSSP before engaging its services.” Here are some considerations that you should take into account during this process.
- Provider offers the security services you need. This one seems like a no-brainer, but don’t assume that every provider does the same thing. Review each candidate partner’s portfolio of security services, and narrow down your list to those that cover everything you need—and, potentially, everything you might anticipate needing in the future. It’ll be much easier to add services from your existing provider than to switch to another provider altogether.
- Provider understands and can abide by necessary regulations. If you’re dealing with medical or financial data, for instance, then you already know quite well the impact that regulations have on your business. Your security partner should be aware of this fact too, and it should be knowledgeable in the regulatory areas that affect you. Ensure that the candidate providers also have experience dealing with regulations and that they have a good history of dealing both with companies seeking to abide by regulations and regulators themselves.
- Provider is a stable organization. Although you need not necessarily turn to a huge company, the stability of your security provider is a legitimate consideration. You don’t want to find your data center “out in the cold” one day because your security provider all of the sudden closed shop or filed for bankruptcy protection. This may be more of a danger for small, specialized companies, but larger companies are not immune from such difficulties (these companies may divest or terminate portions of the business without affecting the overall organization). Look at candidate partners’ list of clients (if available) and their financial situation. An IBM whitepaper (“Selecting a Managed Security Services Provider: The 10 most important criteria to consider”) notes that “Managing security on an outsourced basis for large numbers of customers requires significant capital and resource outlays to operate a global network of security operations centers, develop new technologies, and attract and retain knowledgeable and motivated personnel.”
- Provider deals with solutions from multiple vendors. If you want to avoid the problem of vendor lock-in with regard to your security implementation, then your security partner should be able to work with equipment from a variety of vendors. Of course, if this is not an issue for you, and the provider works with a vendor that you know and trust, this consideration may be less important to you. But if there’s even a chance you may adjust your strategy in this sense, evaluate the ability of candidate partners to work with products from a variety of vendors.
- Provider offers adequate service-level agreements. When a security breach or other incident occurs, who is responsible for which tasks, and what is the requisite response time? Questions like this must be answered clearly and laid out in writing so that both you and your security partner understand who must take what actions when a following a security event. The provider should offer service-level agreements that meet your expectations. Of course, the balance here is financial: the more the provider does in terms of fast, thorough responses to threats, the more you’ll generally pay for these services.
- Provider’s reputation is excellent. If you’re able to discover other companies that the provider works with, try to find out what they think. If the candidate partner’s reputation is less than stellar, you probably want to look elsewhere. Don’t, however, conflate reputation with range of service offerings: a particular provider may not cover every service under the sun, yet still do an outstanding job in its areas of expertise. You don’t need someone who does everything—you just need someone who does what you need, and does it well.
Security outsourcing isn’t necessarily an all-or-nothing prospect: you may need to only outsource certain aspects of security, while maintaining others in house. The technical aspects of selecting a security partner will vary depending on your situation and needs, but the overall aspects of doing so—several of which are listed above—are largely universal. Your security partner should be a company you trust; after all, you will be trusting that company with protecting a critical part of your business.
Photo courtesy of Tom Raftery