This article takes you on a comprehensive tour de force of Managed Security Services (MSS). Learn why organizations outsource security services, how they select providers, how the two sides work together and where the pitfalls are, even when all necessary steps were taken to ensure a successful project/service.
Reasons for External Security Service Provider
Your company — often the IT department — has decided to purchase security services from a commercial security service provider and signed a service agreement with them. The reason why this is happening more and more frequently these days is the expectation to achieve one or more of the following:
Potential cost savings by lowering total cost of ownership (TCO – hardware, licenses, staff)
Better quality of service in terms of availability, i.e. extended service times (24 x 7)
Better quality of service in terms of technical capabilities
Better quality of service in terms of deliverables (e.g. reports, alerts, response times to service requests)
Better performance (e.g. by powerful state-of-the-art technology from service provider)
Better scalability to accommodate expected growth in IT environment (e.g. due to mergers and acquisitions)
New security service, which your own company was unable to implement and support with internal capabilities, or which you couldn’t afford previously
Your company failed to consolidate, align with, and enforce consistent and/or global security processes and procedures and has a hope that an external security service provider will achieve this
Your company’s overall IT service provisioning strategy is based upon external partners and service providers
All of these are legitimate and understandable motivations. Regardless, your company wants to make sure it gets what it has paid for and agreed with the service provider. Let’s assume your service provider has been successful with standing up the contracted services and they are in production for a couple of months: Are you able to tell which of the above expectations have been met so far, and to what extent?
You may be able to answer this question, if you carefully consider the following recommendations while selecting a security service provider and negotiating the contract.
Understand Your Current and Future Security Needs
You may have read sales documents, white papers, service descriptions, case studies, success stories or other material from the service provider regarding the capability of their service offering.
Purchase what you know you need today, e.g. to address known issues or company security requirements. Don’t buy what you suspect you might need some time in the future. Instead, make sure you choose a service offering that scales and is able to grow (and shrink) along with your company’s unknown future needs.
Understand Your IT Operations Environment
Information security is usually part of a bigger organization, who has established IT service management processes and procedures, which the security services might need to interface and/or integrate with. Commercially and process-wise it makes no sense to operate security services isolated from the other IT services of your company. In order to participate you should evaluate security services and providers, if, and to what extent,
they are able to integrate with your service management framework,
they are able to integrate with your systems management framework, and
they support your existing major soft- and hardware platforms
Choose a Trustworthy Service Provider
You should be comfortable that the intended security service provider will not disappear from the IT landscape at least for the duration of your service agreement with them. You should be confident that he has the right and sufficient personnel to deliver the service to you, that he promises. If your company has already contracted other IT service providers, it might be a benefit to choose one of those to limit the overhead for your company for managing 3rd parties – provided that you are confident that their portfolio and quality of security services meets your requirements. When going into negotiations with security service providers, ask for references for projects/service contracts with other clients comparable to the size and complexity of your company.
Make Your Service Provider Understand Your Expectations
Everybody, who has ever been managing projects, and especially projects that failed or left back a dissatisfied client, knows how important it is to manage expectations. When you are going to purchase security services from an external provider, it should be in your interest, that both partners feel happy with and benefit from the agreement you are about to enter. This can only be achieved, if there are as little as possible “surprises” occurring during the term of your service agreement.
Circumstances may occur, which you have no influence on, e.g. mergers or acquisitions affecting you or your service provider, impacting service quality or your commercial relationship with your provider. However, a common source of avoidable “surprises” are ambiguous, i.e. unclear and/or imprecise and/or incomplete formulated requirements and the conclusions and assumptions derived from such formulations by either party. Therefore, put all your expectations on the table, ideally in written, and organize workshops with your service provider candidates until they understand precisely, what you expect from them, and they confirm they are able to and will deliver the service accordingly. Or you understand the details of where they deviate from your expectations and their reasons and can judge, if this is acceptable for you.
This phase is sometimes referred to as “due diligence”. If you should have several potential providers on the radar, due diligence, if run thoroughly, will most often help you to find the one you prefer most.
Make Your Service Provider Understand Regulatory Constraints of Your Company
Nowadays many companies need to adhere to certain compliance requirements. Whereas many of such compliance requirements target business processes, a certain portion of them also impact IT services and IT service processes, in particular because IT supports and is linked with business processes. In addition, data protection and privacy laws define rules and limits for gathering, storing, processing, analyzing, and reporting of information. Last but not least your company’s policies and standards constitute another set of rules, which are mandatory and may impose limitations to the selection of your security service provider and his technologies and processes for delivering security services.
Reserve the right for regular (e.g. annual) assessments/audits of the service and supporting infrastructure and personnel. Ask for references.
The aforementioned often determines the architectural design and operating model of the security service. The two most important components, which will be impacted, are:
Location of IT infrastructure required for the security service: Commercial service providers operate infrastructure in their own (or leased) premises, which they can use to provide the service to their clients. However, use of IT infrastructure at provider locations requires, that company data is allowed to leave the internal network and can be exported to the provider. Even if there are “secure” means to safeguard the network connection between you and your provider (data in motion) and the provider’s servers and storage (data at rest), your company’s policies may not allow for this. If this is the case you need to provision the required infrastructure for your service provider at your own premises. The increase in cost for such a model, in particular during the run and maintain phase, are obvious.
Leveraged versus dedicated service model: Commercial service providers typically try to share their infrastructure and support staff across multiple clients, if this is acceptable for their clients. This allows them to offer their services at lower prices as if they would operate everything separately for each customer. Your company’s policies may not allow for this. In particular if the service provider is serving other companies from the same industry sector, which are competitors to your company, it is often seen as unacceptable that information of such competing companies are stored on the same hard discs, backed up to the same tapes, and the same support staff has access to them. The service provider will be able to offer you a dedicated service where such sharing of resources does not take place. However, as a rule of thumb, the less you will be able to leverage the higher the cost for the service.
Agree Upon the Deliverables of the Service (What – When – How)
Your expectations for the service are reflected in what the service shall deliver. Deliverables must be described as precise as possible and contractually agreed. In addition to the operations and maintenance of the security tools, which are the basis for the security service provisioning, examples of deliverables of security services can be, but are not limited to
Security notifications, warnings, and alerts (e.g. from a network intrusion detection service (NIDS) or a security information and event management (SIEM) system)
Security and compliance reports (e.g. from a SIEM or a technical compliance service)
Reports about security gaps and weaknesses (vulnerability assessment service)
Keeping your network up-to-date with virus definitions (anti-malware service)
Creating, maintaining, disabling and deleting user accounts (user account provisioning service)
Other important characteristics of your services should be:
Service Times, i.e. when the service will be provided. When purchasing a new service you need to make sure, that the contracted service times meet the requirement of your company. In particular if your company has a global footprint, you will often have the need for a service on a 7 x 24 x 365 basis. In any case you will usually want that the service times of the new service provider are equal to or better than what you had previously.
Service Languages, i.e. which languages the service provider will be able to understand and respond to. This is particularly important if the service is end user facing and you need to make sure, that employees from different countries can use the service. Assuming, that all employees will be able and willing to deal with the service provider in English is often wrong.
Both of these things will have an influence on the acceptance of a service, and if it will actually be used, in particular if end users are involved.
Agree upon the Service Quality, Metrics, and Penalties
In order to ensure that the service will be provided at your expected level of quality, you must explain your expectations to your service provider. Don’t assume, that you and your service provider have the same understanding about terms like “good”, “timely”, “comprehensive”, “frequently”, and the like. Therefore, consistent with what is explained in section “Make Your Service Provider Understand Your Expectations”, be as precise as possible and say, what you want to measure, how you want it to be measured, and what values (e.g. numbers in % or absolute counts) you expect the service provider to achieve.
When you are in agreement with your service provider, add the details into the contract.
Service contracts usually define Service Level Agreements (SLA) and/or Key Performance Indicators (KPI) for measuring the service quality. Typical things measured with SLAs are:
Service Availability, i.e. the time (usually expressed as a percentage) during which the service was actually available during the agreed service times,
Response Time, i.e. how fast the service provider was with responding to service requests, and
Resolution Time, i.e. how long the service provider needed to solve an issue.
Service Response Times and Resolution Time are of particular interest when the service is end-user facing, in which case service requests are telephone calls, emails or incident tickets received from users. The basis for the SLA calculations in such cases are usually the incident tickets from a ticketing systems, where incoming requests are logged with a time stamp, and the service provider regularly updates the ticket whenever an action is taken until the issue is solved. Comparing the time stamps from the various stages of an incident ticket will lead to values for the response and resolution time.
In reality defining a measurement method, which always leads to accurate numbers and cannot be hampered, can be very difficult. The values, which you expect the service provider to achieve, are usually referred to as “SLA targets”. SLA targets should be chosen (a) realistically, i.e. they must be achievable with reasonable effort under normal conditions, and (b) challenging, i.e. the service provider will not be able to meet them unless he constantly delivers acceptable quality.
To ensure that the service provider will strive to achieve the quality goals set forth in the SLAs you should mutually agree upon penalties, which the provider will have to deliver to you when SLAs are missed. However, the penalties should not be used to put unreasonable pressure on the provider or your partnership with him. You should therefore allow him to correct the reasons that have caused SLA failures, and get back to SLA achievement in the following measurement cycle. You should also allow him a certain (low) number of cases, where the SLA target is missed but the overall SLA is still considered achieved. In case of repeated SLA misses, penalties should start getting into effect.
Penalties do not necessarily have to be financial, at least not in first instance. Improvement plans and projects conducted by the provider in time and at no additional cost for you to rectify service provisioning and getting the service back to achieve the agreed SLA targets might be a more constructive approach than requesting money back from the provider. However, financial penalties should still be foreseen as a means for you to ensure, that the service provider does not come to the conclusion that it is commercially better for him to pay the penalties for missed SLA targets than providing the service at the agreed quality levels. It is quite common, that the financial penalties increase month after month if the service provider continues to miss the SLA targets. If you should get to this stage with your service provider, you might consider involving your company’s legal department and have them judge, if he is in breach of the contract.
Key Performance Indicators (KPI) are usually complimentary means to keep the service in good shape. Whereas they are often not associated with penalties, at least not with financial ones, they still represent means to ensure that the service provider performs at expected quality levels. In case the service provider should not care about agreed KPIs, your contract should foresee the option to promote KPIs to SLAs and associate penalties with them. If this should become necessary it certainly expresses your dissatisfaction with the quality of your purchased services. However, it might also become necessary because security requirements or other aspects have changed over time, which could not be anticipated at the time of the writing of the contract.
Last but not least, many contracts have a built-in (slight but steady) increase in their SLA and KPI targets. This mechanism shall ensure a constant service improvement over time.
Agree Upon a Cost Model