Businesses today have myriad information security demands. From personally identifiable information to payment card data to intellectual property, businesses need to secure many types of data to meet compliance regulations, protect their brand and safeguard their customers’ information. But cost, staff resources and know-how can hinder many businesses—particularly small to medium-sized organizations—when it comes to data security.
Engaging with a Managed Security Services Provider (MSSP) to support such information security needs can offer many benefits:
- Cost savings: Costs for managed security services (MSS) are generally lower than hiring in-house full-time experts. MSSPs are able to spread their investment in infrastructure and people across hundreds and thousands of clients.
- Staffing: shortage of qualified security personnel puts big pressure on businesses of all sizes to recruit, train and retain their security staff.
- Skills and security awareness: MSSPs have better insight into evolving security threats directly and indirectly because of their focus and wider installed customer base.
MSSPs provide objectivity, independence, dedicated facilities, and round-the-clock service. Whether the challenge is meeting PCI DSS requirements or managing multiple security technologies across many locations, MSSPs can help overcome the challenges of the three C’s: cost, compliance and consolidation.
Cost of a Information Security Budget
Whether it’s the cost of a device, or the cost of staffing the IT department to manage it, network and data security can be expensive. For many businesses, the price tag of a log management appliance or Web application firewall may be too large an investment for limited IT budgets. And, really, isn’t a network firewall solution enough?
Unfortunately, a firewall isn’t enough. When a business only relies on the most basic of security measures; it’s like locking the front door but not locking the back door or windows of a house. Customer data is as easily stolen as the flat screen in the living room. Beyond the loss of data, companies can also experience loss of reputation and brand trust—perceptions that take years to build and only minutes to lose.
As a business grows, it also becomes more costly to manage an expanding network with additional complexity. A recent survey of IT and security professionals by Information Week magazine revealed that managing the complexity of security is far and away the greatest challenge midsize IT organizations in particular face.
Maintaining staff resources to manage data security initiatives can also be cost-prohibitive, especially in the face of tight budgets and insufficient funding. The sheer amount of data available through logs and across systems can be difficult to manage, even for an experienced IT professional. Few small to medium-sized businesses have an adequate pool of IT security experts to manage security hardware and infrastructure.
Lowering Costs with Managed Security Services
The act of protecting sensitive information and proprietary data doesn’t have to be costly. With a reputable, experienced MSSP, a business can obtain high-quality and scalable technology for a lower cost, typically through monthly fees that are more easily absorbed by the business. In many cases, MSS technology can be delivered via the cloud or over a single device, as is the case with Unified Threat Management (UTM) appliances. This can eliminate the costs of managing individual security point solutions, along with ripping, replacing and maintaining expensive hardware in the server room.
An MSSP is also in a better position to hire and maintain IT professionals with both wide-ranging and in-depth security expertise. With managed security services, businesses get all of the benefits of a highly skilled information security team without the cost of staffing and maintaining a full, in-house team. An MSSP can increase monitoring support and network reliability due to more uniform coverage—all at a reduced cost.
Overall, cost-savings estimates realized from engaging a MSSP range from 17 to 20% for 8×5 support to as much as 65 to 75% or more for 24×7 support. [2] In addition, more cost savings may be possible for businesses that maintain multi-site data networks as a result of the consistent, uniform support a MSSP provides.
Compliance Demands
Industry and government regulations frequently drive data security initiatives. Businesses with only a small IT staff, or without the on-staff expertise required for a compliance project, may be overwhelmed by the process and scope of efforts to comply with the ever increasing number of regulations and requirements, including:
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA) or Health Information Technology for Economic and Clinical Health (HITECH) Act
- Graham-Leach-Bliley Act (GLBA) Safeguards Rule
- Sarbanes Oxley (SOX) Act
- Federal Information Security Management Act (FISMA)
- National Institute of Standards and Technology (NIST)
- Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)
- European Union Policy Directive
- Data privacy laws
Additionally, non-compliance with industry regulations can prove detrimental to business. For example, the PCI DSS mandates that organizations that process credit and debit cards must maintain a firewall. But in 2010 incident response investigations, Trustwave’s SpiderLabs found that 97.5% of breached organizations did not have a firewall policy that properly protected the payment environment at the network border.[3] Of those organizations, 84% lacked a firewall completely. This can lead to the theft of valuable payment card data.
Compliance Benefits of Managed Security Services
MSS solutions help simplify the reporting process for regulatory compliance and audits. Technology required by regulatory requirements is more easily obtained and implemented through a MSSP, often with preset reports that map to specific compliance requirements. Log management services, such as a Security Information and Event Management (SIEM) solution, many times offer pre-defined reports for PCI DSS, GLBA, FISMA, SOX, NIST and HIPAA requirements.
A MSSP can typically implement a compliance solution across a business’s computing environment much more quickly to meet an aggressive compliance deadline or mandate than the business would be able to do on its own. Further, a MSSP can help to ensure that the proper and correct configuration of security controls required by industry regulations is maintained at all times, such as the PCI DSS mandate to maintain a firewall.
Consolidation: Is it Possible?
Finely tuned and advanced technology solutions exist for all layers of your information technology network. But how many security controls and devices do you need to implement a security infrastructure that meets your business’ information security needs? Managing and monitoring numerous devices and security controls can be overwhelming for an unprepared business.
We also frequently find, in working with our clients, that older devices and systems with dated technology are neglected and not decommissioned properly by businesses with large inventories of network assets. Many of these older devices have major vulnerabilities associated with them. While performing and maintaining a complete asset inventory can help reduce the risks of such vulnerabilities, businesses can take efforts a step further by using the hardware and services of a MSSP, where vulnerability checks and bug updates are performed on a regular basis. Also, hardware and software refresh support are typically built into the service plans of a MSSP.
Consolidate for Visibility and Management Oversight
Consolidation of security devices and services is a maturing trend, enabling businesses to deploy many technologies on a single device. A UTM device, for example, can consolidate firewall, VPN, intrusion prevention, anti-virus, Web filtering and extended services, such as rogue device detection and vulnerability scanning, in a single security gateway. This allows businesses to aggregate both existing and future security services on one device for simplified deployment and administration, while saving on space and power usage. MSSPs, as new security services become necessary and available, can easily extend the capabilities of UTM devices, further improving ROI.
MSSPs also offer services that normalize, correlate and analyze information from a broad range of devices and systems, using SIEM technology. This provides more effective threat detection over and above what a single business can manage to detect in isolation. Simply put, MSSPs provide consolidated management support that can be observed and tracked all in one place, typically via dashboard-style reporting, by the customer.
Risk Management and Data Security ARE Achievable – And You Don’t Have to Blow the Budget
Affordable managed solutions are available for any organization struggling to implement and maintain a strong information security program – you just have to know what to look for. In meeting the challenges of cost, compliance and consolidation, key features of a good MSSP should include:
- Low-cost fees and subscriptions
- Flexible options that don’t require outright purchase of hardware
- Security experts available 24x7x365
- Easy, comprehensive reporting for compliance and audit support
Visibility into security event activity and the performance of MSS solutions
The complexity of building a strong information security infrastructure can be a challenging factor, whether a business has a fluctuating budget, or needs to meet various industry regulations for data security, or has many disparate systems and devices.
With a MSSP, complexity becomes, well, less complex. Lower costs, dynamic reports for compliance and audits, and fewer devices to manage are all benefits of using managed security services. And reducing complexity frees up the business to focus on what really matters, from helping customers to meeting revenue goals and everything in between.
Sources:- Strategic Security Survey: Midmarket – Five Big Problems and Five Ways to Cope. InformationWeek Analytics. April 2011.
- Various Industry Sources
- Trustwave’s 2011 Global Security Report