PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free
download.
Managed Security Services Providers
Copyright 2022, Faulkner Information Services. All
Rights Reserved.
Docid: 00018026
Publication Date: 2205
Publication Type: TUTORIAL
Preview
With cyber and other information security professionals in short supply –
and demanding top dollar – many enterprises have turned to outsourcing to
satisfy their local and global digital security needs, enlisting the
assistance of a third-party firm to manage and maintain their security
infrastructure. The firms that furnish such services are known as managed
security services providers (or MSSPs). While each MSSP offers its own
unique portfolio of managed security services, the standard service set
usually includes, at minimum, managed anti-virus, firewall. intrusion
prevention, virtual private network, and vulnerability scanning.
Report Contents:
- Executive Summary
- Related Reports
- MSSP Market
- MSSP Advantages and
Disadvantages - MSSP Selection
- Web Links
Executive Summary
[return to top of this
report]
With cyber and other information security professionals in short supply –
and demanding top dollar – many enterprises have turned to outsourcing to
satisfy their local and global digital security needs, enlisting the
assistance of a third-party firm to manage and maintain their security
infrastructure. The firms that furnish such services are known as
managed security services providers (or MSSPs).
| Related Faulkner Reports |
| SecureWorks Managed Security Services Product |
| IBM Managed Security Services Product |
| Verizon Enterprise Security Services Product |
| AT&T Cybersecurity Services Product |
While each MSSP offers its own unique portfolio of managed security
services, the standard service set usually includes, at minimum, managed:
- Anti-virus,
- Firewall.
- Intrusion prevention,
- Virtual private network, and
- Vulnerability scanning1
Value-added services might include:
- Penetration testing – staging simulated cyber attacks to reveal and
repair weaknesses in network defenses; and - Compliance monitoring – ensuring adherence to security and privacy
regulations, such as GDPR, CCPA, HIPAA, and PCI DSS.2
MSSPs normally operate from one or more highly-secure, highly-available
security operations centers (SOCs), from which they can render their
services 24X7.3
Figure 1. NASA Security Operations Center
Source: NASA
By engaging a managed security services provider, a client company is
free to pursue its core competencies (which usually omits present-day
cybersecurity). Importantly, for small-to-medium-sized enterprises
(SMEs), the cost of MSSP services are known or, at least, predictable – a
must in turbulent economic times.
MSSP Market
[return to top of this
report]
According to MarketsandMarkets. the global managed security services
market is projected to grow from $22.8 billion in 2021 to $43.7 billion by
2026, representing a fairly robust compound annual growth rate (CAGR) of 13.9
percent during the forecast period.
The increased enterprise commitment to managed security services is
attributed to several factors:
- The emergence of increasingly-stringent government regulations;
- Greater acquiescence among enterprise officials to the bring your own
device (BYOD), and choose your own device (CYOD) movements; - Expanded remote work opportunities, boosted by the COVID-19 pandemic;
- The increasing number and severity of security breaches;
- Ransomware and other devastating malware strains;
- The potential for inter-enterprise (i.e., supply chain) cyber attacks;
and - The cost-effectiveness of security outsourcing.4
Prominent players in the MSS market space include:
- IBM (US)
- AT&T (US)
- NTT (Japan)
- SecureWorks (US)
- BT Group (UK)
- Atos (France)
- Verizon Communications (US)
- Wipro (India)
- Accenture (Ireland)
- The Herjavec Group (Canada)5
MSSP Advantages and Disadvantages
[return to top of this
report]
As with most business relationships, partnering with a managed security
services provider has both advantages and disadvantages, a careful
consideration of which can help influence provider selection and
oversight. Table 1 offers a side-by-side view of MSSP pros and cons.
| Advantages | Disadvantages |
|---|---|
Lower Enterprise Costs – While lower costs is an obvious advantage, an enterprise client should be careful not to sacrifice valuable functions in the interest of driving down prices. If, for example, compliance monitoring is a value-added service, a client should probably sign up even if means spending a few more dollars each month. |
Losing Management Control – Outsourcing always involves relinquishing some measure of enterprise management control, a situation some executives are reluctant to tolerate. |
Emphasizing Enterprise “Core Competencies” – Outsourcing enterprise security to a trusted third-party provider enables the enterprise to concentrate on its “core competencies,” or those operational specialties that contribute to enterprise productivity and profitability. |
Exposing the Enterprise to Third-Party Exploits – Outsourcing is an intimate act in which a third-party provider is granted access to enterprise assets. These assets can be compromised – intentionally or unintentionally – by provider personnel or provider processes. |
Reducing Enterprise Security Staffing – Recruiting – and retaining – highly skilled and experienced cybersecurity professionals is extremely difficult and expensive. Hiring a managed security services provider helps eliminate that burden. |
Abrogating Essential Oversight Duties – While it may seem an overly-harsh judgment, by outsourcing enterprise security operations, enterprise officials are evading their duties relative to monitoring enterprise security and privacy standards. |
Monitoring Enterprise Security 24X7 – Enterprise systems are being attacked around the clock. Only an MSSP can manage threats occurring any place, any time. |
Exercising Accountability Without Responsibility – In a managed security services arrangement, the MSSP is responsible for security, but the enterprise client remains accountable for security. |
Complying with Security and Privacy Standards – Enterprise officials are expected – often at the risk of substantial fines and other sanctions – to adhere to a wide variety of security and privacy standards, laws, regulations, and guidelines, including, importantly, the:
An MSSP is best prepared to fulfill these obligations. |
Evaluating Provider Performance – Today’s security environment is enormously challenging, with new information frontiers to secure like the Internet of Things (IoT), edge computing, autonomic and autonomous systems, and artificial intelligence. Determining whether a particular managed security services provider is “up to” these challenges is, itself, a significant challenge. |
MSSP Selection
[return to top of this
report]
Considering the stakes – the integrity and confidentiality of enterprise
information, and the smooth and reliable operation of enterprise information
systems which support critical enterprise business functions – the selection
of a managed security services provider is a matter of strategic importance
to the enterprise, and a key predictor of enterprise success.
The search should be conducted through the enterprise request for
proposal (RFP) process, in which enterprise stakeholders, including IT,
Security, and Finance, are afforded the opportunity to probe the
credentials and qualifications of prospective MSSPs. Below are key
questions for provider candidates.6
Relevant Experience
- How many outsourcing contracts do you have currently in force? What percentage of your clients renew their contracts upon expiration?
- How many of your clients participate in similar businesses? With similar infrastructure? With similar security needs? Can you provide references?
Asset Separation
- Are the physical assets associated with each client dedicated or
shared? If shared, how is cross-contamination avoided?
Tier Two Providers
- Are any subcontractors involved in service delivery? If so,
what are their roles and responsibilities? And how are these “tier
two” partners vetted?
Independent Evaluations
- Do you enlist third-party providers to perform independent security
audits? With what frequency? What did the last several
assessments reveal?
Background Checks
- How extensive are employee background checks? Are criminal,
financial, and substance abuse screens standard? Are business
partner personnel subject to the same level of pre-employment
investigation? - As part of this RFP process, are key service personnel available for
one-on-one interviews?
Personnel Training
- What type of training do service personnel receive? How often
do they take refresher courses? - Are service personnel credentialed? For example, what
percentage are Certified Information Systems Security Professionals
(CISSPs)? - Are service personnel trained to conduct forensic
examinations? What standards are applied in the collection
and preservation of criminal evidence? Are service personnel
experienced in offering expert testimony?
Intellectual Property
- Is all intellectual property created by the outsourcer on behalf of
the client owned by the client? - What measures are employed to ensure that sensitive, confidential, or
proprietary client information, such as personally identifiable
information (PII), is safe from loss, theft, unauthorized alteration, or
misappropriation? - Is all enterprise information encrypted – whether at rest or in
transit? If not, why not?
Service Level Agreement
- Does the standard service level agreement (SLA) provide for
client-specific requirements? Under what circumstances can a SLA
be amended or renegotiated? - What is the process for addressing alleged service violations? How are severe or protracted incidents escalated?
Crisis Management
- If an incident becomes public, what crisis management resources are
available to address it? - Are crisis communications coordinated with the effected clients?
Site Visits
- Are unannounced site visits permitted (as a means of validating
provider performance and the accuracy of provider information)?
Service Reporting
- What types of information are available in standard network
reports? How often are these reports issued? Can custom
reports be commissioned? - Can trend analysis reports be generated?
- Is real-time access to network and system security status provided
via a Web interface?
Intrusion Detection/Prevention
- What is the precise process for managing a detected intrusion?
Governance
- Are managed security services
managed
according to a
recognized IT and security governance standard such as the Control
Objectives for Information and related Technology (COBIT)?
Regulatory Compliance
- Are managed security services compliant with all relevant national
and international security and privacy statutes, such as the US Health
Insurance Portability and Accountability Act (HIPAA), the EU
General Data Protection Regulation (GDPR), and the California Consumer
Privacy Act (CCPA)? - How is adherence to these standards assured and reported?
Business Continuity
- In the event of a disaster affecting the delivery of client services,
what disaster recovery and/or business continuity provisions are in
place to preserve client interests and assets? - What is the worst case scenario for the restoration of critical
managed security services? - How are clients notified about disasters (or potential disasters),
and how are they “kept in the loop” relative to recovery options and
recovery progress? - What is the disaster recovery/business continuity posture of key tier
two providers?
Contract Termination
- If the outsourcing agreement expires or is terminated, what is the
process for transitioning network security support to a new provider?
Try Before You Buy
- What types of managed security support can be provided on a trial
basis? How are such pilots or “demos” arranged?
Technology Awareness and Preparation
What specific strategies are employed to
ensure information security in the following areas:
- Cloud Computing?
- Virtualization?
- Edge Computing?
- Internet of Things (IoT)?
- Artificial Intelligence (AI)?
Web Links
[return to top of this
report]
-
Continuity Central: http://www.continuitycentral.com/
SANS Institute: http://www.sans.org/
US National Institute of Standards and Technology: http://www.nist.gov/
References
1 “Managed Security Service Provider (MSSP).” Gartner, Inc.
2022.
2 Eyal Katz. “The 9 Most Common MSSP Security Services.” Exigence Ltd. 2020.
3 “Managed Security Service Provider (MSSP).” Gartner, Inc.
2022.
4-5 “Managed Security Services (MSS) Market by Security Type
(Managed IAM, Managed SIEM, Managed Firewall, and MDR), Service Type
(Fully MSS and Co-managed), Organization Size, Vertical (BFSI, Government,
and Healthcare), and Region – Global Forecast to 2026.” MarketsandMarkets
Research Private Ltd. October 2021.
6 Adapted in part from “Request for Information (RFI) on
Information Security Outsourcing.” Network Computing | CMP Media, LLC.
About the Author
[return to top of this
report]
James G. Barr is a leading business continuity analyst
and business writer with more than 40 years’ IT experience. A member of
“Who’s Who in Finance and Industry,” Mr. Barr has designed, developed, and
deployed business continuity plans for a number of Fortune 500 firms. He
is the author of several books, including How to Succeed in Business
BY Really Trying, a member of Faulkner’s Advisory Panel, and a
senior editor for Faulkner’s Security Management Practices.
Mr. Barr can be reached via e-mail at jgbarr@faulkner.com.
[return to top of this
report]