Bangkok--7 Nov--At Your Service1. What are the questions that IT managers should be asking before outsourcing security? (Questions with comments) With the often bewildering flood of buzz words, hype and general security “wow” factor on emerging threats, complexity of infrastructure and applications for business of all sizes it is often very difficult to determine the best course of action when considering outsourcing your Security. There are several questions you should be asking your provider when selecting a vendor for your outsourced security needs. What is the underlying technology you use to deliver Managed Security Services with and will it protect me against future / emerging threats to my business? While the latest security threat and hype often times keeps me from sleeping at night - make sure these emerging threats apply to your business and you have an actual need to mitigate a particular risk. By the same token examining your entire set of applications / infrastructure to determine exactly what managed services are needed when as your requirements / threats change is a daunting task. To protect against the either unknowable or unknown aspects of you current and future infrastructure — ensure that the platform your provider utilizes is multi service and innovation driven. Security technologies have been consolidating from “Product” to “Feature” with such rapidity that it is often times a matter of reading through 3 months of security publications and distilling the various opinions — and the matter is settled by an innovative multi capability security product — Hype mitigated as a software upgrade to already deployed units in the field. Ensure your managed security provider can evolve with the dynamic nature of the security market. My security requirements are driven by only a few applications, will a suite of services completely meet my needs? As an example lets suppose you have and impending VoIP roll out - should you layer on security? As the primary project in this example is a conversion to outsourced VoIP often times security is an afterthought. The introduction of any additional security risks should never be viewed as an afterthought. It is far more cost effective to implement both solutions from one provider than to go back and add security at a later date. Determine if there is an increase in risk to your infrastructure and if so look to the bundled VoIP + MSSP as your quickest time to implementation most cost effective solution. The same would apply for other non security managed services that you are considering. I wish to outsource my security as well as other portions of my infrastructure; do you have the solution breadth to meet my needs? Many times there are many components of your business that make good targets to roll under one managed services provider. Weigh the triad offs of enlarging an already complex outsourcing project by the cost of implementing a series of complex projects. Many times there often much to be gained by outsourcing the management for several aspects of you infrastructure and many components of you security needs to one provider. Overall this is shown to decrease cost and reduce the time to deploy new / upgrade systems and applications. The most important factor in considering a MSSP — regardless if they are a pure play MSSP or another Managed Services provider with a suite of multi- threat security services with many more solutions to offer - can you trust them. Trust in this instance takes many forms — Can you trust them to provide the appropriate level of risk avoidance. This element is critical to get right, are there enough security capabilities? Is there something I can do without that will not adversely impact you business. Working with a trusted partner to determine the answer to these questions is the most important first step leading to a good experience when outsourcing your security needs to a MSSP.2. How can they test the vendor’s capacity and true capabilities before taking the plunge? Ask for a free trial Ask for a portal demonstration Ask for a walk through of the security reports Ask for a walk through of the notification capabilities Ask for a walk through of the SLA's Many of today's Managed Security Providers offer a "free trial" or similar mechanism to test the service before signing an extended contract, a prospective end user should ask if there is any option for a "trial" period for the managed security services. The heart of any managed security service is the reporting, portal and notification that the subscriber receives as a part of the service. Ask your perspective MSSP to provide a demonstration of the reports associated with each of the security offerings. Ensure that the information that the MSSP is presenting in its security reports is easily understood and in some cases actionable as well as segmented to each location where the security services are delivered - one global report for a multi location business that shows 10 "critical events" "somewhere" among your locations is actually counter productive. Review the MSSP's mechanism and sample content for any notification features of the Managed Security Service. There are events with any security services that is is in the end users best interest to have real time communications from the provider. For example - if there is a DoS attack against your hosting center that while mitigated, is still impacting the quality of your web based applications it should be a requirement for the MSSP to notify appropriate resources within your organization to ensure that should the attack escalate - the subscribers are informed and can execute on any additional mitigation steps that may be required. A portal that can be accesses anytime / anywhere by selected resources is critical for a smooth running outsourced managed security project.When asking for demonstrations of the reporting and notification features and capabilities ask for a walk through of the portal and all of its capabilities as well. SLA's are critical to understand. Ask your perspective MSSP to walk through the SLA's explain in detail what is and what is not covered. Also ask the MSSP to clearly explain on any recommendation processes and escalation procedures.3. What would be the processes to adhere to during the phases of knowledge transfer? Of primary importance, particularly for the multi location business is a designated single point of contact from the MSSP as well as the end user to coordinate all efforts for the outsource roll out. Generally this resource should be programmatic in nature, while security / technical expertise is a nice to have, a resource that can map project milestone to deliverables on both sides is the most important factor to a successful outsourcing of your security. From a high level the following major milestones should be followed.Solution developmentProof of conceptSolution acceptanceDetermination of priority for where each location falls in an overall timelineTimeline acceptanceRoll out These milestones should be clearly communicated to a focused team. This team, comprised of MSSP and subscriber resources should have weekly meetings to ensure that any gaps are recognized and removed.4. Should outsourcing occur as a compulsorily phased approach or can it be done as a Big Bang? There as several factors that drive the preferred roll out / scheduling of an outsourced security engagement.A phased approach should always be a requirement. The following will factor into a preference. Solution components When a multi-location business is adding VPN as an example a phased approach is a requirement. The "Head End" must be deployed first, with the remote locations being migrated in order of importance.If the project is to replace a firewall with another firewall solution and no "down time window" can be found for down time it is critical to run the legacy and new solution concurrently and migrate to the new solution in phases as to not adversely impact the applications and services you are trying to protect. If multiple security technologies / capabilities are to be implemented it is incumbent on the provider to ensure interoperability. For example if the solution includes Antivirus, Web Filtering, Intrusion Prevention, Firewall and Antispam- the provider should deploy the entire solution set at one time to reduce the time of the integration phase. MSSP go to market Currently may cutting edge MSSP's are moving to an "on demand" delivery method. When your prospective MSSP is of this genre an all at once deployment is a primary feature of the service and should be a requirement. Examine closely your timeline requirements and choose your preferred method, big bang or rigorous program - there are MSSP's that specialize in both deployment methods. Your timelines Often times there are pressing timelines for your deployment. If timing is important to your selection of an MSSP make sure that this aspect is examined very early in your vendor selection process. Non Security solution components If for example you are migrating your legacy WAN to an Internet Access plus MPLS or IPSec VPN private network the new circuit will be installed on a world wide average of 35 days after the order is placed. While this might not be an issue if you are selecting a MSSP that only offers Managed security and no other IT services there are often "waiting periods" while the infrastructure components, security devices, subscription services are ordered. Providing required information to the MSSP Often times the resources that are required to provide required information to the MSSP are in multiple locations and have multiple backgrounds. Generally the gathering of information that allows the MSSP to rapidly and accurately create the standard solution for you is the most difficulty aspect of an outsourced security project. It is critical to provide the MSSP with all the required information as well as inform the MSSP of custom applications, or other unique aspects of your organization so they may include those considerations in the first revision of their proposed solution.5. How can an IT manager and team decide what to outsource and what to keep indoors? What should be the basis for deciding the same? This presents a challenge to the manager of the team as well as the individual team members. IT Manager - The first question you should answer, how will this security outsource project impact my strategic plans. For example if you have resources that are spending 20 hours a week on examining Firewall / IPS logs and alerts, how could your organization better utilize those resources when the are freed up from that duty - do you have a VoIP roll out on the horizon and could the "freed" resources accelerate that project? Will egos be hurt to the point where you might loose valuable resources by selecting someone's "baby" technology? If you loose those valuable resources, will it adversely impact tactical and strategic IT goals? At the end of the day all outsourcing decisions are based on your ability to provide risk mitigation to your organization in a cost effective way. Determine if you are going to obsolete any resources you may have, and is it better to redirect those resources or remove them. What are your / your teams actual skills. While many IT resources style themselves as security experts this is often times simply not true. While being able to examine firewall logs, policy, design etc. is a valuable skill it dose not make a modern security expert. With the continuing trend of combating blended threats, that firewall "expert" really must have an in depth understanding of IPS, Antivirus, Antispam, and Web filtering attacks and their mitigation to be truly effective. To reach this level of expertise takes many years of experience by a extremely sophisticated / capable resource.Team Job one - gain agreement on priority. Which aspects of you security are "off limits" and clearly articulate as to why this is so. Many times IT organizations see outsourcing as a "threat". Find out who and what is threatened and make a business decision based off of this input. This is not to say that just because administrator A wants to protect "his" firewall that the team just nods and passes this through, but the objection should be discussed by the team and rationalized, and a decision taken.