This year, security remains top of mind for many IT professionals at small and medium-sized businesses (SMBs). Unfortunately, resource constraints and budgetary realities have not eased much. The increased focus on the Payment Card Industry Data Security Standard (PCI-DSS) brings security compliance front and center to millions of SMBs that were previously exempt from these regulatory worries.
What to do? Burying your head in the sand and hoping the problem goes away won't work. Doing nothing is not an option.
Expertise: As attackers have become far more sophisticated, IT defenders have needed to keep pace. So you'll need to be comfortable configuring firewalls, virtual private networks, intrusion prevention, application security and about five to 10 other categories of products that typically make up the SMB security architecture.
Knowledge: Security is a very dynamic beast, changing largely every day. This isn't a "set it and forget it" business. So you'll need to stay plugged into what's going on in the security market and with the most recent attack vectors. Staying one step ahead of the bad guys requires constant vigilance.
Time: Perhaps the most precious commodity for the SMB IT manager is time. But staying on top of your security environment can be time consuming, regardless of what vendors selling you a new shiny object will say. Managing the policies and making sure there are no holes in your systems is a key part of the job.
If you don't feel you have the skills mentioned above, then your decision will be easy. You should look at a service provider to help you with your security environment. Managed security service providers come in all shapes and sizes, and the reseller channel is increasingly getting involved in this area as well. You can expect to be overwhelmed with folks who want to "help" you manage your security environment.
So how do you select a key service provider? Keep the following four thoughts in mind as you talk to various service providers.
- Industry specialization: In SMBs, there is a great deal of variation among the systems of different industries (banking, health care, retail, etc.). You want a service provider that knows its way around your industry, is familiar with the systems that drive your business, and has a long reference list of businesses like yours.
- Size: There are times when bigger isn't better, but size does matter when picking a service provider for managed security services. You need 24/7 support from people who know what they are doing. Your neighbor who runs a managed firewall business from his garage isn't the answer. Security operations, as with other operational functions, achieve significant economies of scale, so the bigger your provider the more leverage, which over time will drive down prices as well.
- Expertise: Again, security is a very dynamic business. You want your service provider to be plugged into the security industry at many levels. It should have in-house research to analyze emerging threats and it should have renowned experts who build customer-facing architectures and help the service provider stay one step ahead of the bad guys. If it doesn't have guys who hang out at the Black Hat conference, the service provider isn't specialized enough to meet the need.
- Breadth of services: Perhaps you're just in the market for someone to initially manage a firewall or intrusion prevention system. But over time, as you get busier and some security functions mature, you'll want the service provider to take on more responsibility. Select one that offers services up and down the stack and can grow with your business.
Managed security services are not for everyone. Those that require a tight level of control or deal with mostly specialized custom business systems may want to keep capabilities in-house. But many SMBs are increasingly looking at managed security because they just don't have the in-house resources or expertise to do it.
Remember, there is no award for doing everything yourself. It's about maintaining availability and security of your key systems, and if you need help doing that -- get that help.
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via email at mike.rothman (at) securityincite (dot) com.