Five frequently asked questions about managed security services

Computerworld - The managed security service business is booming; it produced $900 million in revenue in 2001 and $1.5 billion in 2002. The Yankee Group forecasts that the market will grow to $2.6 billion by 2005. This research note underscores the ingredients in a successful engagement.

Should I select the same service provider to manage both IT services and security services?
The Yankee Group recommends a separate vendor for security services to avoid conflicts of interest between security and customer service. Administrators trying to serve the customer can view security processes as a hindrance to their ability to deliver the service within the agreed time frame.
To ensure that your security policies are being enforced, you should separate the security duties and employ dedicated staff. Leading service providers such as Electronic Data Systems Corp., AT&T Corp. and IBM offer both security and other infrastructure services. Dedicated security leaders include Internet Security Systems Inc., Symantec Corp., RedSiren, NetSec Inc., TruSecure Corp., Equant, Guardent Inc., VeriSign Inc. and Solutionary Inc.

What process should I follow when implementing a managed security service?
Your corporate security policies are the best place to start. The roles and responsibilities defined in these policies can be divided between outsourced and in-house security staff.
Identify those assets in the scope of the service, and negotiate a service-level agreement to manage these assets. This groundwork forms the foundation of your managed services contract and ensures that both parties have clear expectations.
It is also critical to ensure adequate staffing before, during and after the transition to a managed service. The difficulty in demonstrating return on investment for security and a shortage of skilled staffers has led to chronic understaffing within internal security teams. Do not assume that your managed service provider has staff to fulfill the contract. Ask for staffing approval and play an active role to ensure staffing is adequate.

How do managed security services affect corporate security risks?
If you've moved to the managed services model, you have reduced the risks in the scope of your managed service agreement. However, you, not the provider, are responsible for the consequences of a security breach, outage, information theft, or fraud. Trust your provider to enforce your corporate policies, but periodically verify that they do this effectively. Regular reassessment of overall corporate security risks and controls is vital, and it will help you understand how to get the most from the services you have chosen.
Managed security services increase some risks. For example, a service provider will ask for privileged remote access.