Tech Insight: How To Choose An Integrated Security Services Provider

Suites of security services may look good on paper, but do they really do what they promise?
A Special Analysis For Dark Reading

Excerpted from ""Integrated Security Services: How To Choose A Partner Without Getting Burned," a new, downloadable report posted today on the Dark Reading Security Services Tech Center.

As the volume and sophistication of attacks increase -- and the economy forces IT and security departments to freeze or cut their staffing budgets -- one thing is clear: Enterprises, especially small and midsize businesses (SMBs), need help. The day of security outsourcing has arrived.

During the past few years, security service providers have been working to prove that they can play a viable role in securing enterprise networks. Now that they've established their ability to provide more narrowly focused offerings -- especially in the areas of threat protection and network security -- they're looking to provide compelling reasons for IT managers to move some or all of their security operations to the outsourced model.

Their case is a good one, particularly for SMBs.

Third-party service providers offer advantages over the traditional "do-it-yourself" security model in a few key areas. A service provider can sometimes offer a better view into the security of customers' networks through centralized and unified Web-based portals, for example, and can often leverage broader threat intelligence pictures. Some estimates suggest that a third-party services suite can save the enterprise as much as 50 percent compared with best-of-breed point products implemented in-house. And customers can take advantage of a truly broad spectrum of services, ranging from basic antivirus and content filtering to sophisticated authentication, vulnerability defense, storage, and backup.

While this spectrum of services is good news for IT and security managers, who are increasingly challenged to do more with less, it also means the competitive landscape is becoming convoluted. These multifunction services are offered at many different levels and hawked via many different media, including the Internet and late-night TV -- we kid you not. What's worse, some of these "services" have proved to be scams designed to collect victims' information.

How can your organization purchase a suite of security services without getting sold down the river? The key is understanding the services you need, and what you can afford, before you begin evaluating provider offerings.

While service suite pricing varies significantly by offering and service level, generally speaking, the pricing is built around a per-device (managed, monitored, or both), per-month model. For services provided by traditional outsourcing providers and security vendors catering to midsize to large enterprises, pricing can generally range from $150 to upward of $6,000 per month. This wide range of prices is based on devices designed to service networks ranging in size from tens of users to thousands of users. Buying security services in suites can reduce the cost by 50 percent, according to estimates.

For pure-play managed security services providers that cater mostly to SMBs, pricing is typically based on number of users. A secure messaging suite may be in the $2 to $15 range (depending on number of users), which includes antivirus, antispam, hosted Exchange, archiving, and other services. Service providers claim that for businesses with more than 50 employees, it would cost more than seven times the service providers' annual billing rate for a customer to build the same systems on premises.

Could your organization hope to achieve these savings? A lot depends on the services you choose -- and those you end up with. Most enterprises don't start out looking for security suites. According to service provider experts, 60 percent to 70 percent of customers come to the service provider in search of a single function, such as managed firewall, antivirus, antispam, and desktop antivirus. Once customers have formed a relationship with a service provider, however, they often begin to purchase other functions. Service providers use this growth proposition to push full suites of security services, promising customers that they will see even better value as they use more and more of the suite.

Many types of companies offer integrated security services and many different ways to evaluate them. To find out more about them, download the full report from the Dark Reading Security Services Tech Center.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.