Sapsiwai - Fotolia
Managed security service providers (MSSPs) are trusted by their clients to protect mission-critical data and systems. It's a responsibility that the MSSPs we spoke to do not take lightly. Internal policies and processes are held to the highest security standards, and the providers say they're very honest with clients about their own security posture. This transparency will only become increasingly important, says one industry expert, as the managed IT services market grows.
"We take that stuff seriously. We do it very well. We try to eat our own dog food. Any system or process we recommend to customers are ones we use," said Bill Matthews, owner of Hurricane Labs, a Cleveland-based information security firm.
Standards like ISO 27001, SSAE 16 and SOC 2,and regulations like HIPAA and PCI-DSS serve as a first step for many MSSPs. "Those regulatory [requirements] and the compliancy certifications are just barely starting points for what you really need to do. Lots of companies were PCI-compliant and ISO-compliant, and they still got breached, so those are just starting points as far as we're concerned," Matthews said.
J.J. Thompson, CEO and managing director of Rook Security, an Indianapolis-based IT security solution provider, agreed. "The way we look at everything, from awards to certifications to compliance, is we say, 'These are the things you'd expect from a provider that has the type of access we have.' Those things are the minimum bar for anyone in this industry," Thompson said.
Both Matthews and Thompson said that some MSSPs handle tactical, security intelligence types of services and may not be as scrutinized by their clients. However, both Hurricane Labs and Rook Security deliver services in which the MSSPs have more visibility into and control of the environment. "Where some MSSPs just throw over the wall an email notification, we identify those areas of concern, then reach into the environment and resolve them [for the client]. We're their first responder, and because we have a high level of access [to their systems], they are very concerned [about security]," Thompson said.
Charles WeaverCEO, MSPAlliance
According to Matthews, new clients will inquire about the MSSP's internal processes, such as whether it conducts background checks on the employees Hurricane Labs hires or how access to customer systems is controlled. New clients will also often tour the Hurricane Labs Security Operations Center and data center. While Matthews said he does not usually discuss security standards during a sales pitch, he is honest about his firm's security posture. "I discuss it very matter-of-factly. I'm very honest. I don't fill [customers] with a bunch of platitudes and nonsense. We do everything we can to be secure. Could we be breached? Sure, that's possible, but we never have been, and I don't go home thinking at night, 'If only we had done these 10 things.' That just doesn't happen," he said.
Even though security policies and processes are documented, Matthews said clients typically don't ask to see them. They don't often ask to see audit results, either. The experts we spoke to agreed that there is an attitude held by many companies that a managed security services provider is, by [the] nature of the business, more secure than the client. "Even larger customers say, 'Oh yeah, we assume you're doing it better than us,'" Matthews said. Some of that is due to the fact that Matthews' security clients have a longstanding relationship with Hurricane Labs. "We managed their firewall for eight or nine years, so they are already comfortable with us. We have a history with a lot of these places, so they see it as just one more thing we're doing for them," he said.
Alton Kizziah, vice president of managed security services for FishNet Security, an information security solution provider based in Overland Park, Kan., agreed. "I've seen lots of different types of customers, both large and small. The smaller ones don't really care because whatever we have is better than what they have. Larger enterprises have a level of trust already in their partners. They trust FishNet as a partner, a provider of professional services, hardware and other things like that. There's a certain level of trust and due diligence required to give them the confidence to say, 'I know how you operate as a business and as a technology company, and I trust your security is up to par,'" Kizziah said.
Charles Weaver, CEO of MSPAlliance, a Chico, Calif.-based organization for managed service providers (MSPs) and cloud providers, said this is a common scenario. "Security is the pinnacle of managed services. You don't get into it by accident. You have to be known in the community and have an established relationship with people for them to want to work with you on security issues," he said.
That said, Weaver expects customers will demand more transparency from prospective managed security services providers, especially as more companies look to leverage their expertise in light of recent breaches. "For 20 years [MSPs] have gone under the radar because no one paid attention. This could be the year [companies] start realizing there's this whole group that does nothing but manage IT. When that happens, the MSPs that show their work and are transparent will be successful."
Channel companies advised to expand security offerings
The costs of stepping into the cybersecurity market