Managed Security Services Providers











PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free
download
.

Managed Security Services Providers

by James G. Barr

Docid: 00018026

Publication Date: 2205

Publication Type: TUTORIAL

Preview

With cyber and other information security professionals in short supply –
and demanding top dollar – many enterprises have turned to outsourcing to
satisfy their local and global digital security needs, enlisting the
assistance of a third-party firm to manage and maintain their security
infrastructure. The firms that furnish such services are known as managed
security services providers (or MSSPs). While each MSSP offers its own
unique portfolio of managed security services, the standard service set
usually includes, at minimum, managed anti-virus, firewall. intrusion
prevention, virtual private network, and vulnerability scanning.

Report Contents:

Executive Summary

[return to top of this
report]

With cyber and other information security professionals in short supply –
and demanding top dollar – many enterprises have turned to outsourcing to
satisfy their local and global digital security needs, enlisting the
assistance of a third-party firm to manage and maintain their security
infrastructure. The firms that furnish such services are known as
managed security services providers (or MSSPs).

Related
Faulkner Reports
SecureWorks Managed
Security Services Product
IBM Managed Security
Services Product
Verizon Enterprise
Security Services Product
AT&T Cybersecurity
Services Product

While each MSSP offers its own unique portfolio of managed security
services, the standard service set usually includes, at minimum, managed:

  • Anti-virus,
  • Firewall.
  • Intrusion prevention,
  • Virtual private network, and
  • Vulnerability scanning1

Value-added services might include:

  • Penetration testing – staging simulated cyber attacks to reveal and
    repair weaknesses in network defenses; and
  • Compliance monitoring – ensuring adherence to security and privacy
    regulations, such as GDPR, CCPA, HIPAA, and PCI DSS.2

MSSPs normally operate from one or more highly-secure, highly-available
security operations centers (SOCs), from which they can render their
services 24X7.3

Figure 1. NASA Security Operations Center

Figure 1. NASA Security Operations Center

Source: NASA

By engaging a managed security services provider, a client company is
free to pursue its core competencies (which usually omits present-day
cybersecurity). Importantly, for small-to-medium-sized enterprises
(SMEs), the cost of MSSP services are known or, at least, predictable – a
must in turbulent economic times.

MSSP Market

[return to top of this
report]

According to MarketsandMarkets. the global managed security services
market is projected to grow from $22.8 billion in 2021 to $43.7 billion by
2026, representing a fairly robust compound annual growth rate (CAGR) of 13.9
percent during the forecast period.

The increased enterprise commitment to managed security services is
attributed to several factors:

  • The emergence of increasingly-stringent government regulations;
  • Greater acquiescence among enterprise officials to the bring your own
    device (BYOD), and choose your own device (CYOD) movements;
  • Expanded remote work opportunities, boosted by the COVID-19 pandemic;
  • The increasing number and severity of security breaches;
  • Ransomware and other devastating malware strains;
  • The potential for inter-enterprise (i.e., supply chain) cyber attacks;
    and
  • The cost-effectiveness of security outsourcing.4

Prominent players in the MSS market space include:

  • IBM (US)
  • AT&T (US)
  • NTT (Japan)
  • SecureWorks (US)
  • BT Group (UK)
  • Atos (France)
  • Verizon Communications (US)
  • Wipro (India)
  • Accenture (Ireland)
  • The Herjavec Group (Canada)5

MSSP Advantages and Disadvantages

[return to top of this
report]

As with most business relationships, partnering with a managed security
services provider has both advantages and disadvantages, a careful
consideration of which can help influence provider selection and
oversight. Table 1 offers a side-by-side view of MSSP pros and cons.

Table 1. Table 1. MSSP Advantages and Disadvantages
Advantages Disadvantages

Lower
Enterprise Costs

– While lower costs is an obvious advantage,
an enterprise client should be careful not to sacrifice valuable
functions in the interest of driving down prices. If, for example,
compliance monitoring is a value-added service, a client should
probably sign up even if means spending a few more dollars each
month.

Losing
Management Control

– Outsourcing always involves relinquishing
some measure of enterprise management control, a situation some
executives are reluctant to tolerate.

Emphasizing
Enterprise “Core Competencies”

– Outsourcing enterprise
security to a trusted third-party provider enables the enterprise to
concentrate on its “core competencies,” or those operational
specialties that contribute to enterprise productivity and
profitability.

Exposing
the Enterprise to Third-Party Exploits

– Outsourcing is an
intimate act in which a third-party provider is granted access to
enterprise assets. These assets can be compromised –
intentionally or unintentionally – by provider personnel or provider
processes.

Reducing
Enterprise Security Staffing

– Recruiting – and retaining –
highly skilled and experienced cybersecurity professionals is
extremely difficult and expensive. Hiring a managed security
services provider helps eliminate that burden.

Abrogating
Essential Oversight Duties

– While it may seem an overly-harsh
judgment, by outsourcing enterprise security operations, enterprise
officials are evading their duties relative to monitoring enterprise
security and privacy standards.

Monitoring
Enterprise Security 24X7

– Enterprise systems are being
attacked around the clock. Only an MSSP can manage threats
occurring any place, any time.

Exercising
Accountability Without Responsibility

– In a managed security
services arrangement, the MSSP is responsible for security, but the
enterprise client remains accountable for security.

Complying
with Security and Privacy Standards

– Enterprise officials are
expected – often at the risk of substantial fines and other
sanctions – to adhere to a wide variety of security and privacy
standards, laws, regulations, and guidelines, including,
importantly, the:

  • European Union (EU) General Data Protection Regulation (GDPR),
  • California Consumer Privacy Act (CCPA), and
  • US Health Information Portability and Accountability Act
    (HIPAA).

An MSSP is best prepared to fulfill these obligations.


Evaluating
Provider Performance

– Today’s security environment is
enormously challenging, with new information frontiers to secure
like the Internet of Things (IoT), edge computing, autonomic and
autonomous systems, and artificial intelligence. Determining
whether a particular managed security services provider is “up to”
these challenges is, itself, a significant challenge.

MSSP Selection

[return to top of this
report]

Considering the stakes – the integrity and confidentiality of enterprise
information, and the smooth and reliable operation of enterprise information
systems which support critical enterprise business functions – the selection
of a managed security services provider is a matter of strategic importance
to the enterprise, and a key predictor of enterprise success.

The search should be conducted through the enterprise request for
proposal (RFP) process, in which enterprise stakeholders, including IT,
Security, and Finance, are afforded the opportunity to probe the
credentials and qualifications of prospective MSSPs. Below are key
questions for provider candidates.6

Relevant Experience

  • How many outsourcing contracts do you have currently in force? What percentage of your clients renew their contracts upon expiration?
  • How many of your clients participate in similar businesses? With similar infrastructure? With similar security needs? Can you provide references?

Asset Separation

  • Are the physical assets associated with each client dedicated or
    shared? If shared, how is cross-contamination avoided?

Tier Two Providers

  • Are any subcontractors involved in service delivery? If so,
    what are their roles and responsibilities? And how are these “tier
    two” partners vetted?

Independent Evaluations

  • Do you enlist third-party providers to perform independent security
    audits? With what frequency? What did the last several
    assessments reveal?

Background Checks

  • How extensive are employee background checks? Are criminal,
    financial, and substance abuse screens standard? Are business
    partner personnel subject to the same level of pre-employment
    investigation?
  • As part of this RFP process, are key service personnel available for
    one-on-one interviews?

Personnel Training

  • What type of training do service personnel receive? How often
    do they take refresher courses?
  • Are service personnel credentialed? For example, what
    percentage are Certified Information Systems Security Professionals
    (CISSPs)?
  • Are service personnel trained to conduct forensic
    examinations? What standards are applied in the collection
    and preservation of criminal evidence? Are service personnel
    experienced in offering expert testimony?

Intellectual Property

  • Is all intellectual property created by the outsourcer on behalf of
    the client owned by the client?
  • What measures are employed to ensure that sensitive, confidential, or
    proprietary client information, such as personally identifiable
    information (PII), is safe from loss, theft, unauthorized alteration, or
    misappropriation?
  • Is all enterprise information encrypted – whether at rest or in
    transit? If not, why not?

Service Level Agreement

  • Does the standard service level agreement (SLA) provide for
    client-specific requirements? Under what circumstances can a SLA
    be amended or renegotiated?
  • What is the process for addressing alleged service violations? How are severe or protracted incidents escalated?

Crisis Management

  • If an incident becomes public, what crisis management resources are
    available to address it?
  • Are crisis communications coordinated with the effected clients?

Site Visits

  • Are unannounced site visits permitted (as a means of validating
    provider performance and the accuracy of provider information)?

Service Reporting

  • What types of information are available in standard network
    reports? How often are these reports issued? Can custom
    reports be commissioned?
  • Can trend analysis reports be generated?
  • Is real-time access to network and system security status provided
    via a Web interface?

Intrusion Detection/Prevention

  • What is the precise process for managing a detected intrusion?

Governance

  • Are managed security services
    managed

    according to a
    recognized IT and security governance standard such as the Control
    Objectives for Information and related Technology (COBIT)?

Regulatory Compliance

  • Are managed security services compliant with all relevant national
    and international security and privacy statutes, such as the US Health
    Insurance Portability and Accountability Act (HIPAA), the EU
    General Data Protection Regulation (GDPR), and the California Consumer
    Privacy Act (CCPA)? 
  • How is adherence to these standards assured and reported?

Business Continuity

  • In the event of a disaster affecting the delivery of client services,
    what disaster recovery and/or business continuity provisions are in
    place to preserve client interests and assets?
  • What is the worst case scenario for the restoration of critical
    managed security services?
  • How are clients notified about disasters (or potential disasters),
    and how are they “kept in the loop” relative to recovery options and
    recovery progress?
  • What is the disaster recovery/business continuity posture of key tier
    two providers?

Contract Termination

  • If the outsourcing agreement expires or is terminated, what is the
    process for transitioning network security support to a new provider?

Try Before You Buy

  • What types of managed security support can be provided on a trial
    basis? How are such pilots or “demos” arranged?

Technology Awareness and Preparation

What specific strategies are employed to
ensure information security in the following areas:

  • Cloud Computing?
  • Virtualization?
  • Edge Computing?
  • Internet of Things (IoT)?
  • Artificial Intelligence (AI)?

[return to top of this
report]

References

1 “Managed Security Service Provider (MSSP).” Gartner, Inc.
2022.

2 Eyal Katz. “The 9 Most Common MSSP Security Services.” Exigence Ltd. 2020.

3 “Managed Security Service Provider (MSSP).” Gartner, Inc.
2022.

4-5 “Managed Security Services (MSS) Market by Security Type
(Managed IAM, Managed SIEM, Managed Firewall, and MDR), Service Type
(Fully MSS and Co-managed), Organization Size, Vertical (BFSI, Government,
and Healthcare), and Region – Global Forecast to 2026.” MarketsandMarkets
Research Private Ltd. October 2021.

6 Adapted in part from “Request for Information (RFI) on
Information Security Outsourcing.” Network Computing | CMP Media, LLC.

About the Author

[return to top of this
report]

James G. Barr is a leading business continuity analyst
and business writer with more than 40 years’ IT experience. A member of
“Who’s Who in Finance and Industry,” Mr. Barr has designed, developed, and
deployed business continuity plans for a number of Fortune 500 firms. He
is the author of several books, including How to Succeed in Business
BY Really Trying
, a member of Faulkner’s Advisory Panel, and a
senior editor for Faulkner’s Security Management Practices.
Mr. Barr can be reached via e-mail at jgbarr@faulkner.com.

[return to top of this
report]