As enterprises focus on aligning IT operations with business growth, it is becoming clear that areas such as IT security operations can be more efficiently dealt with by selecting the right outsourcing partners. And now, with the presence of skilled providers offering tailored services in the Middle East, the region is finally ready to embrace MSS.

By Nicolai Solling, Director of Technology Services, Help AG

The state of IT security in the Middle East is getting worse. While publicized threats such as those made by Anonymous on the region’s Oil & Gas industry are a much needed wake up call, it is skyrocketing number of cyber threats that organizations are now battling that is most alarming. Along with escalating threats, the cost of mitigating attacks too is growing. The Ponemon Institute, in its annual ‘Cost of Data Breach Study’ estimated a 15% rise in the cost of a data breach with global victims facing an average expense of $145 per compromised record .

Traditionally, organizations in the Middle East have responded to these concerns by implementing basic forms of IT security and hoping that the breach happens to someone else. But even with millions being spent on the latest security devices and platforms, organizations are still getting infected! This is because despite their cost, the implemented frameworks often lack proper configuration and fine tuning and the processes for detecting and responding to incidents lack efficiency and insight. In the midst of escalating threats and constrained internal resources, Middle East organizations are beginning to realize the benefits they can reap from Managed Security Services (MSS).

Managed Security Services (MSS) is the outsourcing of a company’s security needs to a service provider called a Managed Security Services Provider (MSSP). The MSSP will manage and protect the company’s IT infrastructure on a 24×7 basis. With the expert security resources that an MSSP has in its arsenal, it will help any organization defend against attacks and find that needle in the haystack that is probing or attacking the infrastructure.

Besides freeing up precious resources, partnering with MSSPs allows firms to maximize the effectiveness of their security investments and avail of cost-effective 24×7 monitoring. MSSPs also have the ‘advantage of scale’. Since they protect multiple clients and have processes in places to provide workflow automation, they can significantly reduce the time required for remediation. Also, the experience and insights gained from working with large client pools gives MSSPs a much broader understanding of the threats in the region, which they then leverage across their entire client base.

Deterrents to Managed Security Services

So far, the Middle East has not adopted MSS as willingly as Europe and the United States. Concerns about data confidentiality, integrity and location of the data are stated to be the main limiting factors. It hasn’t helped either that the majority of local MSSPs have proved to be inflexible in their offerings or are unable to deliver true value. This lack of competent offerings has meant customers have refrained from MSS, despite the obvious benefits of having 24×7 monitoring and support carried out by security professionals.

Instead, most Middle East organizations have tried to build their own security operation centers in-house. But as IT security becomes more and more complex, they find themselves battling another familiar challenge. The region continues to lack skilled IT professionals so utilizing the precious few to carry out security operations is almost counter-productive, especially when this same limited resource pool is simultaneously tasked with delivering innovation to drive business.

As enterprises focus on aligning IT operations with business growth, it is becoming clear that areas such as IT security operations can be more efficiently dealt with by selecting the right outsourcing partners. And now, with the presence of skilled providers offering tailored services in the Middle East, the region is finally ready to embrace MSS.

Gearing up for MSS

Picking a MSSP however is not a simple task. The criteria for selection will essentially determine success or failure. Just as outsourcing security may not be appropriate for every organization, every provider may not be appropriate for each customer’s needs. Besides cost and features, the reputation of the MSSP should hold weightage during selection.  An industry renowned provider is likely to have invested in the employing highly trained security experts and would serve a rich and diverse customer base, thus contributing to the provider’s advantage of scale.

The MSSP should have a deep understanding of the compliance regulations that apply to the customer’s particular industry and should conform to relevant industry-standard security and audit protocols. For example, a customer from the credit card industry should ensure its MSSP holds the ePayment Card Industry Data Security Standard (PCI DSS) certification.

In addition to 24×7 monitoring and managing of its customers’ infrastructures, the MSSP should also be knowledgeable, and possibly certified to manage security solutions and platforms from multiple vendors. And finally, while any provider would boast rapid response, only those who can back this claim with water-tight service-level agreements (SLAs) that offer a fixed-scope at a fixed-price should be trusted. This guarantees that they deliver the services reliably and repeatedly.

In the era of constantly evolving technologies and attack techniques, businesses cannot always give security operations their due importance. An MSSP can provide real value, visibility, insight and protection- all while relieving the stress on the organization’s over-utilized IT resources.