This article takes you on a comprehensive tour de force of Managed Security Services (MSS). Learn why organizations outsource security services, how they select providers, how the two sides work together and where the pitfalls are, even when all necessary steps were taken to ensure a successful project/service.
Reasons for External Security Service Provider
Let’s say your company — often the IT department — has decided to purchase security services from a commercial security service provider and signed a service agreement with them. The reason why this is happening more and more frequently these days is the expectation to achieve one or more of the following:
- Potential cost savings by lowering total cost of ownership (TCO – hardware, licenses, staff)
- Better quality of service in terms of availability, i.e. extended service times (24 x 7)
- Better quality of service in terms of technical capabilities
- Better quality of service in terms of deliverables (e.g. reports, alerts, response times to service requests)
- Better performance (e.g. by powerful state-of-the-art technology from service provider)
- Better scalability to accommodate expected growth in IT environment (e.g. due to mergers and acquisitions)
- New security service, which your own company was unable to implement and support with internal capabilities, or which you couldn’t afford previously
- Your company failed to consolidate, align with, and enforce consistent and/or global security processes and procedures and has a hope that an external security service provider will achieve this
- Your company’s overall IT service provisioning strategy is based upon external partners and service providers
All of these are legitimate and understandable motivations. Regardless, your company wants to make sure it gets what it has paid for and agreed with the service provider. Let’s assume your service provider has been successful with standing up the contracted services and they are in production for a couple of months: Are you able to tell which of the above expectations have been met so far, and to what extent?
You may be able to answer this question, if you carefully consider the following recommendations while selecting a security service provider and negotiating the contract.
Understand Your Current and Future Security Needs
You may have read the sales documents, white papers, service descriptions, case studies, success stories or other material from the service provider regarding the capability of their service offering.
One piece of advice is to purchase what you know you need today to address known issues or company security requirements. Don’t buy what you suspect you might need some time in the future. Instead, make sure you choose a service offering that scales and is able to grow (and shrink) along with your company’s unknown future needs.
Understand Your IT Operations Environment
Information security is usually part of a bigger organization that has established IT service management processes and procedures security services might need to interface and/or integrate with. Commercially and process-wise, it makes no sense to operate security services in isolation from other IT services in your company. You should evaluate security services and providers about if and to what extent
- They are able to integrate with your service management framework;
- They are able to integrate with your systems management framework; and
- They support your existing major soft- and hardware platforms
Choose a Trustworthy Service Provider
You should be sure that the intended security service provider will not disappear from the IT landscape, at least for the duration of your service agreement with them. You should be confident that the provider has the right and sufficient personnel to deliver promised services. If your company has already contracted other IT service providers, it might be a benefit to choose one of those to limit the overhead for managing third parties – provided you are confident that the portfolio and quality of security services meets your requirements. When going into negotiations with security service providers, ask for references for projects/service contracts with other clients of comparable size and complexity.
Make Your Service Provider Understand Your Expectations
Anybody who has managed a project, especially a project that failed or left behind a dissatisfied client, knows how important it is to manage expectations. When you are going to purchase security services from an external provider, it’s in your interest that both partners feel happy with and benefit from the agreement you are about to enter. This can only be achieved if few “surprises” occur during the term of your service agreement.
Circumstances you can’t control, e.g. mergers or acquisitions affecting you or your service provider and impacting service quality or the relationship, may occur. However, a common source of avoidable “surprises” are ambiguous terms, i.e. unclear, imprecise, incomplete formulated requirements and assumptions made by either party. Therefore, put all your expectations on the table, ideally in written terms, and organize workshops with your service provider candidates until they understand precisely what you expect from them and confirm they are able to deliver the service accordingly. If they deviate from your expectations, understand how and decide if this is acceptable for you.
This phase is sometimes referred to as “due diligence.” If you have several potential providers on the radar, a thorough due diligence process will most often help you to find the best fit.
Make Your Service Provider Understand The Regulatory Constraints of Your Company
Nowadays, many companies need to adhere to compliance requirements. Whereas many compliance requirements target business processes, a certain portion of them also impact IT services and IT service processes, in particular because IT supports and is linked with business processes. In addition, data protection and privacy laws define rules and limits for gathering, storing, processing, analyzing and reporting information. Last but not least, your company’s policies and standards constitute another set of rules, which are mandatory and may impose limitations when selecting your security service provider.
To manage this, reserve the right for regular (e.g. annual) assessments/audits of the service and supporting infrastructure and personnel. Ask for references.
Compliance needs may also dictate the architectural design and operating model of the security service. The two most important components are:
- Location of IT infrastructure required for the security service: Commercial service providers operate infrastructure in their own (or leased) premises, which they can use to provide the service to their clients. However, use of IT infrastructure at provider locations requires that company data is allowed to leave the internal network and be exported to the provider. Even if the provider has “secure” means to safeguard the network connection while the data is in motion and at rest, your company’s policies may not allow for this. If this is the case, you need to provision the required infrastructure for your service provider at your own premises. This create an obvious increase in cost, in particular during the run and maintain phase.
- Leveraged versus dedicated service model: Commercial service providers typically try to share their infrastructure and support staff across multiple clients. This allows them to offer their services at lower prices. Your company’s policies may not allow for this. In particular, if the service provider is serving other companies from the same industry sector (competitors to your company), it is often seen as unacceptable that information of competing companies are stored on the same hard discs, backed up to the same tapes and allow access to the same support staff. The service provider may be able to offer you a dedicated service where such sharing of resources does not take place. However, as a rule of thumb, the fewer shared resources you leverage, the higher the cost for the service.
Agree Upon the Deliverables of the Service (What – When – How)
Deliverables must be described in as precise a way as possible and contractually agreed upon. In addition to the operation and maintenance of security tools, which form the basis for the security service provisioning, examples of deliverables include:
- Security notifications, warnings, and alerts (from a network intrusion detection service (NIDS) or a security information and event management (SIEM) system)
- Security and compliance reports (from a SIEM or a technical compliance service)
- Reports about security gaps and weaknesses (vulnerability assessment service)
- Keeping your network up-to-date with virus definitions (anti-malware service)
- Creating, maintaining, disabling and deleting user accounts (user account provisioning service)
Other important characteristics of your services should be:
- Service Times. When purchasing a new service, you need to make sure that the contracted service times meet the requirement of your company. In particular if your company has a global footprint, you will often have the need for a service on a 7 x 24 x 365 basis.
- Service Languages, i.e. which languages the service provider will be able to understand and respond to. This is particularly important if the service is end-user facing and you need to make sure that employees from different countries can use the service. Assuming that all employees will be able and willing to deal with the service provider in English is often wrong.
Both of these will play a role in the acceptance of a service, especially if end users are involved.
Agree upon the Service Quality, Metrics and Penalties
In order to ensure that the service will be provided at your expected level of quality, you must explain your expectations to your service provider. Don’t assume, that you and your service provider have the same understanding about terms like “good,” “timely,” “comprehensive,” “frequently” and the like. Be as precise as possible and say what you want to measure, how you want it to be measured and what values (e.g. numbers in % or absolute counts) you expect the service provider to achieve.
When you are in agreement with your service provider, add these details into the contract.
Service contracts usually define Service Level Agreements (SLA) and/or Key Performance Indicators (KPI) for measuring the service quality. Typical things measured with SLAs are:
Service Availability, i.e. the time (usually expressed as a percentage) during which the service was actually available during the agreed service times;
Response Time, i.e. how fast the service provider was with responding to service requests; and
Resolution Time, i.e. how long the service provider needed to solve an issue.
Service Response Times and Resolution Time are of particular interest when the service is end-user facing, in which case service requests are telephone calls, emails or incident tickets received from users. The basis for the SLA calculations in such cases are usually the incident tickets from ticketing systems, where incoming requests are logged with a time stamp and the service provider regularly updates the ticket when actions are taken to resolve the issue. Comparing the time stamps from various stages of an incident ticket leads to values for the response and resolution time.
In reality, defining a measurement method can be very difficult. The values you expect the service provider to achieve are usually referred to as “SLA targets.” SLA targets should be:
- Realistic. They must be achievable with reasonable effort under normal conditions
- Challenging. The service provider should not be able to meet them unless he constantly delivers acceptable quality.
To ensure that the service provider will strive to achieve the quality goals set forth in the SLAs, you should mutually agree upon penalties the provider will have to deliver when SLAs are missed. Penalties should not be used to put unreasonable pressure on the provider or your partnership. You should allow the provider to correct the reasons caused SLA failures and get back to SLA achievement in the following measurement cycle. You should also allow a certain (low) number of cases where the SLA target is missed, but the overall SLA is still considered achieved. In case of repeated SLA misses, penalties should start going into effect.
Penalties do not necessarily have to be financial, at least not in the first instance. Improvement plans and projects conducted by the provider (at no additional cost to you) to rectify service provisioning and get back on target might be a more constructive approach. However, financial penalties should be a means to ensure the service provider does not come to the conclusion that it is better to pay the penalties for missed SLA targets than provide the service at agreed quality levels. It is quite common for financial penalties to increase month after month if the service provider continues to miss the SLA targets. If you get to this stage with your service provider, you might consider involving your company’s legal department and have them judge breach of contract.
Key Performance Indicators (KPI) are usually complementary means to keep the service in good shape. Whereas they are often not associated with penalties, at least not with financial ones, they still represent means to ensure that the service provider performs at expected quality levels. In case the service provider should not care about agreed KPIs, your contract should foresee the option to promote KPIs to SLAs and associate penalties with them. If this should become necessary, it certainly expresses your dissatisfaction with the quality of your purchased services. However, it might also be necessary due to security requirements or other aspects that have changed over time and could not be anticipated at the time of the writing of the contract.
Last but not least, many contracts have a built-in (slight but steady) increase in their SLA and KPI targets. This mechanism ensures a constant service improvement over time.