How easy is it to implement a managed network security service? Is integration an issue?
Integration is a big issue, but typically the most pain occurs within the IT group that is doing the handoff, because most of the time people don't want to let go of what they're responsible for. If it's an entirely new security system, it's usually better, but it can still [be] painful if there isn't a buy-in from your own IT organization. But if it is something new, it often goes well, because you're helping your own IT people. What is a managed network security service?
It could be a company that offers anything from management of a physical network to managing security devices and other hardware, such as switches, firewalls and routers. It could also do intrusion detection or VPN management, which is huge right now because there aren't experts to manage VPNs in specific industries, like banking. Internal networking pros often don't have time to learn the latest technology or put it in themselves. Managed security services could entail just about anything across the network. There are so many flavors of managed security. How should a company figure out which service is right for it?
I believe it all boils down to business processes. Before creating an RFP, a company needs to establish what its needs are and what it's trying to achieve, and then it needs to get feedback from providers. It's that research that's truly going to tell you whether you've found the right vendor or service. You have to ensure that what your company needs and wants is going to be provided by this service provider. That's done not only through RFP comments, but also by talking with past customers. References always say a lot, both with customers a provider has lost and the customers they have kept. Why do enterprises use network security service providers?
Lack of expertise, usually. The second most popular reason is time, meaning if you have a security project that you have to get done quickly, it's sometimes easier to bring in an NSSP to do it. So an NSSP sets up the project, builds the system, and educates the staff. Can network security service providers help an enterprise cut security costs?
There can be a ton of savings, depending on what your business requirements are and what your business is focused on. If you always have to have the latest and greatest cutting-edge trends, like the newest VPNs, you're going got have a definite ROI there, because you can get systems in faster. You don't have to train your own people on it first -- that's the service provider's responsibility. What are two or three essential elements that need to be in a service-level agreement with a network security service provider?
The requirements need to be outlined in plain English, using as many pages as possible. Detail is a very good thing, especially in a service provider contract. Secondly, there needs to be a way to measure the requirements, and that needs to be in the contract. The contract shouldn't state, 'We'll provide bandwidth reporting tools.' It needs to be highly detailed as to what the tools are and how they'll be provided. Finally, there needs to be a back-out clause. In that clause, it needs to be outlined exactly how that service provider will handle the transition if that option is exercised.
FOR MORE INFORMATION:
Learn about leaving vulnerability assessment to someone else.
Check out our Topics on managing outsourcing.
First off, as an industry, I think it's always good to go through the difficult times, because you pare away the companies that are pretty much not making the grade. I think it was good for the industry to go through that. Even though jobs were lost, the low-end service providers were pushed out, as well as a lot of larger providers, due to mismanagement. Today, we have a lot more, larger companies that are doing business the right way.