How to build the right managed security service level agreement

Midmarket companies have little leverage in contractual negotiations with large managed security service providers, and should look toward smaller MSSPs for more flexibility in defining service level agreements.

Managed security services are an attractive option for midmarket companies. They can provide a level of security beyond the resources and the expertise of most midmarket companies, and at a predictable cost. But companies are not just offloading work when they outsource security; they are placing, at least in part, responsibility for the security of their network and data, compliance obligations, and even the health of their business in the hands of strangers.

Midmarket companies need to procure some level of assurance that service providers will deliver on their promises and protect their interests if something goes wrong, and the security service-level agreement (SLA) is the key to that assurance. The SLA will eventually spell out the services to be provided, how they will be implemented, how the service provider will respond to customer requests and problems, and what it will do to "make good" if things go badly.

More advice on security
service level agreements
Questions to ask when choosing your managed security services provider: Outsourcing security services forces midmarket IT organizations to ask tough questions about a provider's capabilities and business model.
Writing an SLA: Points to include in an outsourcing contract: Learn the core items to include in a service level agreement for an MSSP.

"It's a starting point to make sure services you are contracting for are what you really are looking for," said Burton Group analyst Eric Maiwald. "Without a contract that's reasonably well thought out, you really don't know what level of service to expect and what to do when service doesn't live up to expectations."

Large enterprises can use their financial muscle to pressure service providers to customize SLAs to meet their requirements. Midmarket companies have to take what they get, or find another vendor who offers an SLA that better matches what they're looking for. The reason is simple economics. Managed service providers make money based on economies of scale that enable them to cash in on services that are repeatable for customers so the provider can get the most out of its investment in infrastructure and training.

"Generally speaking, they are going to shy away from anything that smells like a one-off," says Burton's Maiwald.

Smaller service providers, however, tend to be more flexible. Like any small business, they want to capitalize on personalized service. But they face their own limitations, and may rely more on the good will they build up by responding quickly to your problems. Smaller companies should thoroughly vet a provider's reputation by examining references, customer lists, certifications, stability and infrastructure.

"There's not much leeway; most consultants are pretty small businesses," says Karl Palachuk, author of "Service Agreements for SMB Consultants" and the blog, "Small Business Thoughts."

"I built a model I can replicate again and again and again, and reduced the margin so I can have a consistent price across clients" said Palachuk, who operates a small business consultancy, Sacramento, Calif.-based KPEnterprises. "There's not much I can negotiate on."

With some limits, in addition to local services, providers may be channel partners for managed or cloud-based services from larger security companies. In those cases, they--and you--are limited by that provider's SLA terms.

It's easy to be attracted to promises of continuous service uptime, and quick responses to requests and detected security issues. But all those things come at a price. Before you decide on a provider, consider how your requirements--particularly the risks to your business--match those security service-level agreements.

Clearly, you want strong performance promises if, for example, your website has to be running 24/7. A promise of 99.9 percent service uptime sounds good, but consider that if it slips a percent or even half a percent, your business may be down for the equivalent of a couple of days over the course of a year.

On the other hand, if your business is more forgiving in terms of downtime and response time, you may not need such stringent performance promises. The alternative may be a smaller vendor who might offer cheaper prices and more personalized attention.

There's a direct connection between the performance promises a service provider can build into an SLA and its investment in infrastructure and personnel. Large providers have redundant data centers that should failover without service interruption. Smaller companies will likely have some business continuity plan, but nowhere near the resources of their giant competitors.

"Businesses need to ask themselves some hard questions," says Kevin Prince, CTO for MSSP Perimeter eSecurity. "If we are down for an hour, a day--what is the tolerance for that kind of outage? There is a relationship between what you are getting and what you are paying."

And what if the provider fails to meet any of their SLA obligations? Much is made of monetary penalties: the service provider will pay x-dollars if the service is down for an hour or if they fail to act on your request within four hours, etc. Perhaps large enterprises can expect service providers to pay penalties with some sting in those cases, but not an SMB. If you do manage to convince a provider that they have violated the terms of the SLA, what you're likely to get is not compensation for the impact on your business, but a few bucks that provider will barely notice.

Take a simple example: Say the provider's security operations center is having issues and the firewall monitoring service is offline for an hour. The security service-level agreement says the penalty will match the outage. So, the provider will compensate for what it charges you for that hour's service.

"It's nothing to them. They want to control their risk and therefore stay in business," says Maiwald.

Some less than scrupulous providers will use penalties as a form of rebate, a cost of doing business so they can make stronger guarantees than they can back up, said Prince.

What's more, it's sometimes difficult to prove the provider has violated the SLA. Performance, for example, is tricky. If your email security or Web filtering service is slow, for example, is the problem on the provider end? A lot of factors can slow things down on the Internet. Unless you can show that a bunch of other customers were affected, clearly pointing back to the provider, you're probably out of luck.

Realistically, if your service provider isn't living up to its obligations, the best option is simply to get out.

Although you probably have a one-to-three-year contract, all agreements have terms that allow you to bail when things go bad. Look closely at the contract language that delineates the terms under which you can terminate. If the contract doesn't contain a reasonable escape clause, look elsewhere, because getting out may be your only meaningful relief if there are significant problems.

And decide what's bad enough to make you want to bail.

"Under what conditions would you consider dropping a service provider?" says Maiwald. What's really that bad for you?"

Maiwald cautions that you have a business continuity plan for that eventuality. If you drop one service provider, do you need to have another one in place? Can you take the service in-house until you find a new provider? Can you afford to be without the service for a while?

But don't expect to simply drop a provider if you are unhappy, especially early in the agreement. Economies of scale and repeatable processes notwithstanding, each new client is an investment.

Even Palachuk, who allows clients to terminate their contracts without cause, says he has some limitations (he says he needs four months to break even).

"Clients should expect if they just signed on and want to get out, there will be a cost," he says. "Consultants have upfront cost to get clients onboard."

There's an alternative to token penalties and escape clauses.

Since the risk to your business is far greater than the penalties you might collect from providers, look for a provider that accepts responsibility for your exposure and covers your risk -- and theirs--through insurance, says Charles Weaver, co-founder and president of the MSP Alliance.

If a company experiences a data breach, for example, it incurs the cost of notifying customers and penalties, not to mention the damage to brand reputation and future business. In this environment, service providers are following the example of doctors and lawyers and getting professional liability insurance.

"What is at issue is the risk and where that risk is assigned," Weaver says.

Be on the lookout for a service provider that waives any responsibility for a data breach or other costly security incident.

"A good service provider--and this will be documented clearly in their contract--will have professional liability insurance that will in part or whole absorb the liability," he says. "That's what a client should be looking for."

Send comments on this article to [email protected].

Join our IT Knowledge Exchange discussion forum; please use the midmarket security tag.

Dig Deeper on Running an MSP business