In addition to asking about pricing and security expertise, agencies should check out prospective managed-security service providers (MSSPs) in these areas:
1. Support for security technologies the agency owns.
Most agencies have made significant investments in security technologies in recent years, which means they shouldn’t be forced to undergo forklift changes to their current security architecture to accommodate the technology expertise of an MSSP, said Grant Geyer, vice president of Symantec Managed Security Services.
2. Staffing resources, especially during a crisis.
Because fast response to secu-rity questions and new attacks is important, large agencies should make sure an MSSP is equipped to handle its volumes, he said.
3. Track record.
Visit the service provider’s security operations center for a firsthand look at its technology, and ask the staff to show examples of how they’ve responded to real-world incidents, Geyer said.
— Alan Joch
Until a year ago, the city of Seattle had to provide lots of care to the technology it used for screening its e-mail inboxes from annoying, and sometimes, harmful messages. In the end, the commercial application the city was using wasn’t as effective as the city needed, said Michael Hamilton, the city’s chief information security officer.
But today, an e-mail-filtering service hosted by Postini, a subsidiary of tech giant Google, screens incoming messages, traps junk mail, quarantines infected messages and sends a small digest of the daily catch to city information technology staff members. In addition to stemming the spam flood and allowing IT workers to focus on more productive duties, the service has been significantly more effective in stopping viruses.
“Local government doesn’t have the resources to throw at a problem like this, so it’s a better value proposition for us to leave it up to the experts,” Hamilton said. “This experience has opened up the city’s IT leadership to the value proposition of managed services.”
Managed-services providers have been helping public-sector agencies offload routine IT tasks for years, but until recently, some agencies balked at trusting third parties with something as crucial as security. That’s changing as IT managers in local governments and federal agencies alike are looking to managed-security service providers (MSSPs) to help them rein in costs, cope with shortages of technical talent and keep pace with the endless stream of new vulnerabilities.
However, CISOs and others warned that financial savings and protection levels can fall short of expectations when agencies don’t account for hidden costs and service-level agreements (SLAs) lack detailed performance measurements.
“The biggest challenge is understanding exactly what you’re contracting for, and where the risk transfers are in that relationship,” said Ron Ritchey, a principal at consulting firm Booz Allen Hamilton. “It’s easy for an agency to believe it’s eliminated risk, but through the misalignment of the contracted service and the provided service, that might not be the reality.”
Many choices One measure of growing MSSP acceptance comes from forecasts of federal government spending in the next five years on security services. Public-sector company Input projected a compounded annual growth rate of nearly 8 percent through 2013, which would bring spending to $9.6 billion.
Digg
De.licio.us
Slashdot
Technorati
