Evaluate Outsourcing Partners

Computerworld - Working with managed security service providers (MSSP) isn't much different from any other type of outsourcing commitment. All of the basic rules still apply, including setting specific requirements, incorporating strict service-level agreements with penalties, and re-evaluating your needs -- and the provider's competencies -- at regular intervals.
But when it comes to managing security functions, there are additional factors that can improve the relationship and the quality of security coverage provided by your MSSP.

• Have a clear reason for outsourcing. Figure out whether the service provider will deliver better security or run the company's information security operations faster and cheaper than you could in-house.
  Merrill Lynch & Co., for example, signed a global, multiyear contract to have VeriSign Inc. monitor and manage hundreds of network security devices, primarily firewalls and intrusion-detection systems. "We picked VeriSign because of the company's expert skill in monitoring and its ability to give us better information than we could gather on our own. The goal wasn't to reduce costs; it was to improve security," says David Bauer, chief information security and privacy officer at Merrill Lynch.
  
  
• Ask probing questions. Jeff Nigriny, chief security officer at Exostar LLC in Herndon, Va., an online exchange for the aerospace and defense industry, suggests interviewing everyone at the MSSP about how they will provide coverage for your company. How many times has the provider had to issue a credit for failing to meet the service-level agreement? And how financially stable is it?
  
  
• Set a time limit for responses. When Exostar contracted with TruSecure Corp., Nigriny included a clause in the a service-level agreement stating that TruSecure's response time to a problem couldn't exceed 15 minutes and that any configuration changes would have to be made within 30 minutes.
  
  
• Remember: Monitoring for security breaches 24/7 simply isn't enough. "The MSSP must filter through the alerts, respond to problems as they arise and tell me what was done in a report later," says Nigriny, who decided it was time to consider outsourcing when he was forced to sift through 3,000 incidents in a single day.
  
  
• Use an MSSP that's nearby. Paul Castellano, general manager of information services, IT security and disaster recovery at Hagerstown, Md.-based Allegheny Energy Inc., selected RedSiren Inc. more than two years ago, primarily because the MSSP filled key requirements and was headquartered in Pittsburgh, which is within driving distance of Castellano's office. While not everyone is able to jump into the car to visit a service provider, "you really don't want to be on a plane every time there's a briefing or presentation," he says.
  
  
• Make sure the MSSP offers fail-over operations that at least match your own. Castellano recommends using an MSSP that offers redundant network operations centers, which are critical for recovering from regional disasters. And even more important, he says, is the need to test those backup operations.
  
  
• Understand and exploit the reports you get. An MSSP's reporting tools can be used to benchmark your security coverage and recovery performance against those of scores of other companies. Allegheny Energy has used the RedSiren reporting tools to build a baseline and enable Castellano's staff to perform monthly or quarterly "what if" security testing.
  
  
• Think beyond the perimeter and "defend in depth." That's the advice of Nick Brigman, a vice president at RedSiren. Nowadays it takes more than antivirus software and a firewall to secure operations. Consider adding multiple intrusion-detection sensors in different areas around the company to better protect critical assets. Some customers add such devices both outside and inside their firewalls, Brigman says, to detect and track the incidents that breach them.
  
  
• Figure out how to escalate a problem and how to gain access to the "real" security experts inside the MSSP. Chances are, when you call the MSSP for assistance about a security alert, the person who answers the phone may not be the key person you need, says Adam Joseph, former CEO of TruSecure and now an independent consultant. He says MSSPs typically don't keep many highly skilled security technicians on duty around the clock, so identifying the people with real expertise is critical to getting better service.
  In general, experts say that the key is to develop a close, trusting relationship with the MSSP so the IT department can focus on strategic security goals while the MSSP handles the mundane daily operations.
  
  
• Investigate each of the security services you expect to get. Analysts say there's much hyping of services going on today, as MSSPs scramble to gain a footing in the market. So ask for sanitized incident reports, examine the level of content in them, and analyze the effectiveness of the service provider's response in each case.

Read more about Security in Computerworld's Security Topic Center.