Managed security services -- an SMB option

What to do? Burying your head in the sand and hoping the problem goes away won't work. Doing nothing is not an option.

More on security for SMBs Security VARs -- Buyer beware More security tips

Before I go into strategic options, let's take a candid assessment of the skills you'll need to grapple with today's security issues.

Expertise: As attackers have become far more sophisticated, IT defenders have needed to keep pace. So you'll need to be comfortable configuring firewalls, virtual private networks, intrusion prevention, application security and about five to 10 other categories of products that typically make up the SMB security architecture.

Knowledge: Security is a very dynamic beast, changing largely every day. This isn't a "set it and forget it" business. So you'll need to stay plugged into what's going on in the security market and with the most recent attack vectors. Staying one step ahead of the bad guys requires constant vigilance.

Time: Perhaps the most precious commodity for the SMB IT manager is time. But staying on top of your security environment can be time consuming, regardless of what vendors selling you a new shiny object will say. Managing the policies and making sure there are no holes in your systems is a key part of the job.

If you don't feel you have the skills mentioned above, then your decision will be easy. You should look at a service provider to help you with your security environment. Managed security service providers come in all shapes and sizes, and the reseller channel is increasingly getting involved in this area as well. You can expect to be overwhelmed with folks who want to "help" you manage your security environment.

So how do you select a key service provider? Keep the following four thoughts in mind as you talk to various service providers.

1. Industry specialization: In SMBs, there is a great deal of variation among the systems of different industries (banking, health care, retail, etc.). You want a service provider that knows its way around your industry, is familiar with the systems that drive your business, and has a long reference list of businesses like yours.

2. Size: There are times when bigger isn't better, but size does matter when picking a service provider for managed security services. You need 24/7 support from people who know what they are doing. Your neighbor who runs a managed firewall business from his garage isn't the answer. Security operations, as with other operational functions, achieve significant economies of scale, so the bigger your provider the more leverage, which over time will drive down prices as well.

3. Expertise: Again, security is a very dynamic business. You want your service provider to be plugged into the security industry at many levels. It should have in-house research to analyze emerging threats and it should have renowned experts who build customer-facing architectures and help the service provider stay one step ahead of the bad guys. If it doesn't have guys who hang out at the Black Hat conference, the service provider isn't specialized enough to meet the need.

4. Breadth of services: Perhaps you're just in the market for someone to initially manage a firewall or intrusion prevention system. But over time, as you get busier and some security functions mature, you'll want the service provider to take on more responsibility. Select one that offers services up and down the stack and can grow with your business.

Managed security services are not for everyone. Those that require a tight level of control or deal with mostly specialized custom business systems may want to keep capabilities in-house. But many SMBs are increasingly looking at managed security because they just don't have the in-house resources or expertise to do it.

Remember, there is no award for doing everything yourself. It's about maintaining availability and security of your key systems, and if you need help doing that -- get that help.

Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via email at mike.rothman (at) securityincite (dot) com.

Rate this Tip To rate tips, you must be a member of SearchCIO-Midmarket.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Information security management for the midmarket San Francisco network lockup justifies CIO fears A cloud computing takeover? Google thinks so An IT spring cleaning for CIOs Single sign-on: Sensible security on scale Spyware defense for the midmarket Federal breach notification stuck in Congress Anti-spam tricks for the midmarket toolbox (expert podcast) Pre-emptive strategy best approach to breach notification CIOs under fire and in front of the camera Compliance-burdened CIOs turning to security management tools Security tools for the midmarket Legal Expert: MDM can advance compliance goals Database security: Limiting access is key San Francisco network lockup justifies CIO fears Security monitoring tools: Better to buy than build? CIO Kathy Lang: Virtual patrolling center enhances campus safety Marquette CIO enhances student safety with virtual patrolling Spyware defense for the midmarket Anti-spam tricks for the midmarket toolbox (expert podcast) Compliance-burdened CIOs turning to security management tools Information security requires organized teams Security for the midmarket Risk assessment frameworks easy to employ Compliance: Don't let your guard down Single sign-on: Sensible security on scale Laptop theft easily preventable while on the road Information security requires organized teams How to choose a DR service provider Security on a midmarket budget Security's crystal ball for 2008 Security outlook challenging for SMBs in 2008 SMB security reporting: The devil is in the details RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.