Cons of using MSSPs
Last week we went over some of the Pros of Outsourcing to MSSPs, today we will go over some of the Cons in more details.
Here are the reasons why you should think twice before outsourcing.
1. Device control Once you outsource your security infrastructure such as firewalls and IDS, you may lose some or all control of the devices. Many MSSPs want to retain full control in order to reduce the finger pointing when catastrophe happens. Also, MSSPs usually have tools and infrastructure that will manage the devices differently than individual administrators, so shared control can create problems when both sides cannot agree on certain things. However, you still have control of the policies of the devices. If you can’t swallow the fact that you will lose control, look for a MSSP that will share access with you.
2. Security policy Any good security policy requires the knowledge on the company’s corporate culture and business. The MSSP will not know everything about your company. For example, they won’t know that your company’s extranet can only be accessed by specific strategic partners; nor do they know that only specific adminitrators can access security data and these people must have access at anytime. It is your responsibility of working with the MSSP to make sure that they understand and build your security policy. Some MSSPs can provide professional services to help you but the downside is that you will have to pay more.
3. Security environment Unless the MSSP handles all of your infrastructure, they won’t know all the applications and servers you have. This means that it is difficult for them to accurate determine whether a security event is critical or just a false alarm due to the insufficient information. Most MSSPs can work with you to setup a escalation policy that would include partial knowledge of your environment, including what applications and servers in your infrastructure. However, it is up to you to keep that information current and update the MSSP as necessary.
4. Administrative access One of the biggest surprises for companies considering outsourcing is that most MSSPs will have a team of engineers who all have administrative access to their devices. The team size can sometimes be as many as 30 engineers! In contrast, most companies probably have only 2 to 3 administrators who are allowed to manage the devices. To mitigate the risk of having too many people who can modify the device, work with the MSSP to make sure they know whom from your company can request changes. Keep the number of people who can request changes to a number you are comfortable with.
5. Response time Most MSSPs will have a very fast response time when it comes to catastrophes. For example, if the device goes down due to hardware or software failure, the response time to get on the case is usually about 15 minutes. However, if you need a policy change quickly, the response time can be in the order of 6 to 24 business hours depending on the SLA. This generally requires the company to plan ahead when working on projects. It also means don’t send in a change request to open a port on the firewall two hours before you need it.
6. Customization MSSPs are all about economies of scale. All their operations are based on that concept in order to make a profit. Their preference is to perform any task on a mass scale so nothing needs customization. The downside, of course, is that your devices will be managed just like any other device. If you have specific requirements that need customization by the MSSP, it will be difficult to convince them to do so as it breaks their model. For example, it will be difficult to convince the MSSP to enable SNMP on your firewall if the MSSP’s policy doesn’t allow that.
7. Financial viability This perhaps is one thing that most companies will ignore or not spend enough time when it comes to due diligence. To identify the MSSP that meets your requirements, not only do you need to spend time on the SLA and technical requirements, it is critical to understand the MSSP’s business and financial viability. Given that many of the MSSPs are there are fairly small and new to the business, any risky business move on the parts of the MSSP can put them out of business. As we have seen over the years, many of them did. Remember Pilot Networks and how much time they gave their customers when they went out of business?
Now that we have gone through the many pros and cons of outsourcing to MSSPs, it is up to you to understand your requirements and figure out whether to outsource or not. Make sure you ask all the questions and spend time on due diligence, and don’t let the MSSP talk you into something that you are not sure about. Make sure you talk to multiple MSSPs and understand how they can meet your requirements. In other words, do your research first.