It was no surprise to hear Brian Snow, the senior technical director of the National Security Agency's Information Systems Security Organization, tell an audience of security tool developers that a lot of the products they make are an "attractive nuisance." Snow made these comments during a presentation to developers attending the July 2000 "sophisticated" hacker briefings included in the DEFCON 8 security conference in Las Vegas. His statement underscores the confounding and seemingly hopeless information and communication technology (ICT) security development efforts as more vendors come online touting proprietary solutions. Once viewed as a low-budget nuisance by corporate America, ICT security now has become the next icon of corporate survival. Propelling this mushrooming growth in security protection development is new ICT earning potentials. Market researcher International Data Corporation (IDC) projects the security market for managed security services to grow to $2.24 billion by 2003 from $512 million in 1998. IDC also expects the market for content security to grow from $66 million in 1999 to $952 million by 2004. Another market research firm, Frost & Sullivan, values the 1999 European Internet security marketplace at $489.9 million, and predicts it will reach $2.74 billion by 2006.
ASP then, MSP nowApplication service providers (ASPs) arrived on the Internet scene less than two years ago, promising several advantages over traditional software development/acquisition cycles. ASP benefits, such as rent vs. buy and installation and update savings, were touted. ASPs provide the applications and IT infrastructures to service subscribers. Potential corporate benefits include substantial reduction in security software costs, decreases in resources required to continually update security capabilities and knowledge, and lower staffing growth for security-related duties. ASPs can also accomplish the challenge of incorporating proprietary security applications into an integrated security shield. But as the Internet evolves, complexity and specialization continue to complicate straightforward ASP security solutions. Some ASPs are full-service firms, while others partner with organizations that contribute missing components and capabilities, such as encryption and public key infrastructure (PKI). In response, a new form of ASP is budding in the ICT protection arena: managed services providers (MSPs). Rather than offering traditional application access, security MSPs supply both security technologies and the management of it all to assure optimal protection 24x7. These MSP providers are so new to the online security market that security services should be outsourced incrementally, service-by-service. MSPs can be evaluated more easily in a step-by-step relationship, and control and protection pressures can be more adequately managed internally. The "all-or-nothing" approach sounds easy but too often ends in disaster.
Can security MSPs become bulwarks of protection to the nonsecurity ASP services sector and to corporations seeking reprieve from ICT assault? To help you make the first MSP cut, ask yourself the following questions:
- Capability--Your company must be able to efficiently outsource certain security functions and closely oversee MSP security services on an ongoing basis.
- Competence--The MSP must have the skills to maintain information assurance, infrastructure protection, and telecommunication oversight.
- Trust--Trust is a must for the security MSP to gain and maintain clients. Longevity, integrity, growth, capitalization, reputation and internal security all build the foundation for adequate credentials.
- Responsiveness--Considering that corporate survival is at the core of these services, MSP staff responsiveness, in addition to technology excellence, is mandatory.