Before bringing in outside help to manage security services, run a series of checks first, says Stuart Eaton from Centrinet. Economic and staff resourcing factors are further driving the trend for strategic outsourcing of specialist business areas – a fact noted by Allan Carey, senior analyst for IDC: ‘The managed security services market is being driven primarily by resource constraints to capital and security expertise.’ This model however is not new; companies have previously outsourced functions such as legal matters, HR, recruitment, accounting and front desk security to outside specialists. The management of a company IT security infrastructure can be seen simply as an extension of this. The ‘managed service’ market has burgeoned with the Internet security boom because of the financial and technical problems associated with a business attempting to stay ahead of the security curve. A report1 by Morgan Chambers further suggested that there is evidence that outsourcing, as a strategic weapon, can have a positive impact on share price – the report suggests that the difference is about 5.3 per cent above the individual sector average and 4.9 per cent above the overall FTSE 100. Managed security is not for everybody and we will outline the pros and cons of the strategy whilst providing pointers to what to look for in a managed security vendor.

Managed security pros The benefits of outsourcing managed security include:  leveraging the talents and experience of security and privacy experts to protect brand, intellectual property and revenues;  supplementing existing security resources cost-effectively;  implementing sophisticated security solutions;  focusing resources on building core business, not on building a security centre or on trying to constantly stay on top of changing security threats;  controlling and managing security spending;  accessing a trusted advisor during security incidents;  obtaining third-party validation and verification of the appropriateness of your security policies;  benefiting from cutting-edge security research and development.

Managed security cons Amongst the disadvantages of outsourcing security solutions we find:  allowing a third party access to the ‘keys to the safe’;  long term- inflexible contract terms;  that several companies in the managed security area are start-ups with an uncertain economic future;  trust as the main barrier.

Moving to the managed model Once a decision is taken to embrace managed security how do you select a service provider? There are several key metrics to be checked off when searching for a good quality MSP (managed service provider):  written service-level agreements (SLAs);  secure financial position;  recognised standards, eg ISO;  global reach;  high level of vendor accreditations;  secure NOC (network operations centre);  customer testimony. Let us deal with each of the above points separately.

Written service-level agreements (SLAs) The primary objective of a managed security service is to provide security services that meet the agreed business and technical requirements of the client. To facilitate this, the service provider needs to understand these requirements and translate them into measurable criteria. This allows the service provider to measure the service delivered as well as its capability and performance in providing the service. This is typically done by the use of SLAs. SLAs are a key component as they outline the shared goals and objectives of the supplier and client; without them it is all too easy for the expectations of one party to fall out of line with those of the other, leading to a breakdown in both the relationship and service.

Secure financial position After taking the time to select a suitable supplier of managed services, the last thing you want to happen is that they go bankrupt after a few months of the contract, leaving you ‘high and dry’. Secure finances is perhaps the most important area to consider, even more so in the current economic climate. Part of the selection process here should be a check on the customer base and the length of time the company has operated within the managed service arena. Managed services, as with many areas of IT, has seen a proliferation of start-up companies with a poor commercial model that leads to the disillusionment of their client base and, therefore, ultimately leading to disillusionment in the managed service model. This need not be the case if care is taken when partnering with a provider. An interesting point in the financial area is that size is not always everything, as the recent WorldCom episode has demonstrated.

Recognised standards If a company, particularly a service provider in this case, is awarded an ISO 9000 certificate, it can demonstrate to its customers that it is in possession of a documented quality system that is being observed and continually followed. ISO 9000 standardises the services of the company or organisation. One of the benefits of obtaining an ISO certificate is that the company is distinguished as a supplier of superior quality services and can display their commitment to a quality product. Partnering with a managed service provider that has made this investment in international standards allows us to have increased confidence in the products and services supplied. Assurance of conformity can be provided ordinarily by manufacturers’ declarations or by audits carried out by an independent agency.

Global reach A correctly scaled managed firewall or VPN (virtual private network) service allows companies to take advantage of the inherent benefits of a well-designed, secure firewall deployment within their enterprise. Further to this, partnering with a service provider that can boast current global deployments gives us the flexibility to expand outside of our home country without the headache of understanding the creation of a secure communications platform. Without this global reach we are in danger of missing out on the intrinsic and compulsive benefit of IP (Internet protocol) VPN, which is that it’s a simple way to securely connect outlying sites. Having this power enables the rapid deployment of tactical offices and can further the facilitation of teleworking. An MSP with global reach will also have knowledge of global support and the ability to liaise, and at times manage, multi-ISP (Internet service provider) relationships. Care should always be taken to partner with an MSP that allows your business to realise its growth potential and not hinder it through poor global experience.

Vendor accreditation The vendor accreditation aspect again links back to an MSP’s investment in the service they supply. Good levels of accreditation with the software or hardware vendor they manage will give the MSP a level of access to the vendor’s R&D function, Beta programs and early release software. In turn, this allows the MSP to fully develop their offering and to ensure that they are not caught out by service or feature pack updates that may have an impact on the security of the service. In attaining a level of accreditation, an MSP is required to meet specified standards and program protocols; these may include a minimum level of accredited and trained staff or a target number of customers subscribing to the service. Once again, when looking for a suitable service provider, accreditations and/or ISO standards give a good indication of the level of service you can expect to receive.

Secure NOC (network operations centre) When outsourcing the management of your firewalls/intrusion detection systems to an MSP, a minimum component must be that they have a secure operations centre from which they can monitor, manage and administer your firewalls. When looking into any managed service contract, a trip to see the NOC should be a consideration. A good NOC should contain elements of CCTV, card readers and airlock door configurations in their security make-up. This ensures that only authorised staff will have access to key information. A well-conceived, secure NOC is a strong indication that the service provider takes security seriously. This is one of the key metrics when selecting a partner.

Customer and industry testimony An MSP that conforms to most, if not all, of the points raised above is likely to have a mature installed user base that can vouch for its competence. Any managed service organisations that receive glowing references from both customers and industry peers are likely to make full use of them in corporate literature, websites and advertisements. MSPs are only too happy to let prospective customers see their testimonial sheets as it gives a valuable comfort factor and can often be a crucial element in developing the trust that has to exist prior to embarking on a managed service contract. Customer case studies and testimony can allow prospective clients to view the type of implementations a given MSP has been successful in deploying. It can also be an indicator of the vertical markets an MSP has experience in. This can be particularly important within certain sectors such as government or military.

Conclusion Outsourcing security technologies is an increasing trend and one that seems set to continue. It is one of the fastest growing markets in the IT sector with more than US$250 million of venture capital funded US managed security start-ups in the last year. IDC expects the global market for security services to grow to US$16.5 billion by 2004 from US$4.8 billion in 1998. When looking to utilise the skills of an MSP, companies should take the time to investigate vendors thoroughly. With the right choice, an MSP is a business partner who can shoulder the responsibility of an organisation’s security management and incident response, thus enabling the company to operate confidently in today’s connected business environment. Centrinet are a leading provider of Internet and network security solutions based on the innovative use of the best products and services. Our passion for customer service and technical excellence, combined with a no-nonsense approach to business, provides our clients with a refreshing and unique experience. For further information contact: Centrinet Limited, Witham Park House, Waterside South, Lincoln, Lincolnshire LN5 7JN. Tel +44 (0)1522 559 600; Fax: +44 (0)1522 533 745; Email: enquiries@centri.net; Website: www.centri.net