Managed security outsourcing is a multibillion-dollar business with companies of all stripes saving money by offloading time-consuming and mundane security tasks to providers. But there's more at stake than saving a few bucks.

As managed security moves into the IT mainstream, deciding which functions to divest your IT or security staff of can be a challenging decision.

Make the right one and you can save money, becoming more secure all the while freeing up your staff for more productive activities.

Make the wrong decision -- whether it be a vendor that doesn't live up to promises or inadvertently shares your information with a competitor -- and you could end up in hot water... or worse.

To figure all this out, as with all outsourcing decisions, you have to weight the pros and cons.

If you are short-staffed (especially on the security side) and have just expanded the company through acquisition, for example, now might be a good time to interview managed security service providers (MSSP) to see how their services (anything from simple firewall protection all the way through security audits to emergency response and incident handling) could ease you workload and shore up your defenses.

If, however, you already have a security staff and good governance, policies and procedures in place, then an MSSP may have less to offer.

It really depends on so many factors that no one article can cover all the bases, but, according to the experts, there are some basics to think about before signing away control over any aspect of your security infrastructure.


On the plus side, MSSPs generally have a better understanding of the threat landscape and the tools to deal with those threats than most in-house security teams, said Marty Lindner, team lead for Incident Handling at CERT/CC. And this can be a great comfort when you put your head down at night.

Also, since most in-house staff spend a great deal of time patching and handling incidents, they have very little time left over for staying up-to-date and training.

A good MSSP should be able to provide services while, at the same time, staying current with the latest practices, gear, software, threats, etc. It also should be able and willing to impart this knowledge to you, their customer.

''If I was doing an outsourced solution, I would look upon that company to give me guidance, recommend suggestions on prevention mechanisms, policies, procedures, better ways of architecting my infrastructure so I'm better defending myself, node security, application security,'' said Lindner.

Also on the plus side is you will probably will be able to save money on the more common/commoditized security tools such as anti-virus/anti-spam, firewalls, intrusion detection, etc. and its associated hardware.

In fact, up to 60 percent of companies today are using some form of managed firewall, according to analyst firm the Yankee Group.

''The pros of outsourcing? You are basically just simplifying your life,'' said Andrew Jaquith, senior analyst with Yankee's Security Solutions and Services Practice. ''You're outsourcing some of the simpler security functions and it's a cost saving; you're leveraging economies of scale on the part of the providers.''

Also, an outside provider doing, say a security audit prior to starting their services, will be more rigorous and honest, said Rick LeVine, senior manager of Accenture's North American Securities Practice, since they will not feel any of the internal pressure from management to do one thing over another. An MSSP is usually all about security, not politics.

This article was first published on To read the full article and find out what the 'cons' are, click here.