7 reasons for choosing managed security services

Approximately in the year 2000, the world discovered a new form of security. Until then, the only solution options on the market were ad hoc consulting and projects with a well-defined beginning and end aimed at identifying and/or correcting information security problems and providing hardware and software, or the so-called security technologies.  

It was at that point that MSS model (Managed Security Services) began to take shape in the US and be used by companies. In this model, instead of treating security with ad hoc solutions (consultants) or with an exclusive focus on products (hardware and software), the MSS provider (MSSP) sells ongoing security and emphasizes results. Instead of selling an antivirus, for instance, the MSSP sells a virus-free network. Instead of an IPS Firewall, it sells an invasion-free network. In this manner it addresses all of the existing solutions. This is based on pre-defined SLAs, in accordance with the final client’s their needs and possibilities.

From then on, we have seen the market grow nonstop. Results were attained and costs were driven down. Secure ROI has been achieved at last. Each year, increasingly more companies from all sectors are adopting the model. Let’s study the reasons.      

1. Security is an ongoing problem

This first major reason is interesting because it is so obvious when absent. Over the last 15-20 years, the most specialized professionals in information security have agreed that security is like an incurable disease: there is not medication that can solve the problem; we have to live with it as best as possible. But, at the same time, there are major projects involving significant financial resources that are geared towards providing specific solutions. What is the result? The problems persist. This is where MSS gains recognition, whether positively because of knowledge and agreement with the model, or whether negatively because companies obtain poor results using traditional models.  

MSS continuously solves logical security issues because it delivers effective results day after day, addressing attacks when they occur, mitigating risks, and eliminating vulnerabilities when they arise.

2. Technology does not solve everything by itself

Some people are the enemy. Companies need people to protect them. Technology has reached an impressive stage of development with advanced resources that include self-learning. Thus, it is essential to have good security technology, although that is not enough. We live in a connected world that requires us to open doors to interact with it. To know how to open the doors and understand how they work we need good technology to give us the resources to do so correctly and safely, and we need people to carry out such tasks.     

3. Hiring and maintaining good security professionals is an issue for security companies

Let’s look only at Brazil and the good security professionals we have, and compare the demand for them in the country’s 500 largest companies, and in the Federal and State governments. It would be mathematically impossible for each company, whether public or private, to have its own team. In terms of public companies, the market pays a lot more per hour for these professionals than the government is able to pay by force of the law. This is also the case in the private sector, except that the force at play is the market. Thus, the conclusion is simple: a good security professional will go with the market. That is the general rule.

Now let’s consider a hypothetical situation: there are enough professionals in the market and your company, whether public or private, can pay them. The questions would thus be different: is it worth it for a retail company, steel manufacturer, car maker, oil operator, or similar organization to be specialized in such highly complex subjects like information security? Is the return on investment sufficient? How does it compare to buying this ready-made on the market? And will the company keep these professionals motivated and updated? Generally, these are questions that cannot be answered.

4. No matter how much you try, your company’s sampling will always be smaller than that of an MSSP

What is the objective of the security function in any environment? There will always be agents as well as threats and risks. Their aim is to attack vulnerabilities and any existing security flaws in your environment. Time is of the essence: we must eliminate the vulnerabilities before a threat attempts to exploit them. In other words, we need to be proactive. And how can we be proactive in a world where around 5,000 new vulnerabilities emerge every year (over 10 per day), which are multiplied several times by the number of agents in your environment? The MSS model is the most successful in managing this feat, not by using specific technology or a magic formula, but simply by imposing security in uninterrupted fashion, 24 hours a day. And what about the consulting project you finalized last month?

5. Buying security technology is a thing of the past

Perhaps the only justification for buying logical security assets today is having a greater investment budget (CAPEX) than spending budget (OPEX). In other words, it would be a non-security reason. No company needs to own an antivirus or firewall license. Companies need only be free of security problems. They are far less successful achieving this objective with these products, since they are often highly perishable and must be used until the end of the contract. Big mistake. Buying results is far cheaper, simpler, more rational and intelligent than buying products. This is what MSSPs do.

6. Knowledge for managing security cannot be acquired overnight

A study undertaken by the company Service Leadership Inc. in the US revealed that 36 uninterrupted months of operation are needed to achieve excellent standards in the managed services. That is to say, if your company wishes to solve a problem by itself, the soonest it can make that happen is 3 years. Of course, provided everything works out. World crises, management changes, and high turnover are massive obstacles that as a rule hinder the project, forcing a return to square one, not to mention the huge amount of badly-invested money.    

7. Lastly and most importantly: it is cheaper to buy MSS

Studies all show that in the end it is cheaper to engage an MSSP. There are many reasons for this: (1) spending on licenses, hardware, and software is significantly lower since MSSPs buy in bulk; (2) payments are monthly because MSSPs pay suppliers that way (which you could not manage to do without paying heavy interest rates); (3) the services are scheduled since SOC professionals execute tasks in a shared manner, generating enormous savings; (4) the MSSP comes with the required facilities such as SOC, datacenters, systems, etc., which would be very expensive if each company had their own; (5) all the procedures are already set up, offering higher speed and greater efficiency in carrying out tasks. Additionally, a good MSS services contract only requires you to pay for what you receive!  

*Rogério Reis is a blogger at CRN Brazil