Jump to Page Content
Ed Welsh, Director, Security & Compliance

Comparing managed service providers: SERVICES vs services

Posted by Ed Welsh, Director, Security & Compliance on February 22, 2010 10:50 AM

Part of selling GSI's managed services is dealing with the competitive comparison issue, as prospective clients attempt to determine which managed service provider is the best fit for their IT management needs. The need to compare GSI versus our competition is understandable, but what do you do when there is little to compare us against?

The old and overused idiom, "Apples to Oranges" comes to mind, but does not accurately describe the situation. GSI is most often compared to "hosting" companies because we have hosting capabilities, but to say we are just a hosting company is grossly inaccurate. GSI is a managed services company with hosting capabilities. We provide the entire service – soup to nuts. Most competitors, while they claim to offer a total solution, barely get to the soup.

Maybe a metaphor using the auto repair industry can help clarify our situation as it relates to comparison shopping.

Comparing managed services versus MANAGED SERVICES

  • Space. Every auto repair shop must have a garage in which to put the equipment and vehicles involved. Much like IT hosting companies must have data centers. It is a given that one garage looks much like another. Picking an auto repair shop solely on the presence of a garage would not be prudent. The need for them to have a workable and available garage is a requirement, but you need more criteria to narrow down your comparison. The same goes for hosting companies and their data centers.
  • Range of services. Another area of comparison is the type of auto repair services and the expertise with which they are provided. A lot of shops provide standard services and have qualified technicians to provide those standard services on the most common vehicles. These services work fine for a standard high-production vehicle. What happens if your vehicle is a specialized, custom-built unit? The number of auto repair shops that can provide you services drastically decreases. Your selection now depends on the unique traits of the specialized services you require. This applies to IT services, as well. IT systems requiring advanced security and regulatory compliance necessitate specialized services, and narrow your service provider options.
  • Who performs the actual work? Let's muddy the waters a bit and carry the metaphor further. Say you have narrowed your auto repair provider selection down to three shops. They all three advertise knowledge of your specialized vehicle. Each shop defines their services using similar terms. Even so, as you dig into one shop's methods, you find that they provide work space and tools, but do not actually do the work. You and your brother-in-law will need to be available to actually perform any work. This kind of discrepancy can be very difficult to discover when picking an IT services provider, and it is painful to realize it after contracts have been signed with an auditor breathing down your neck.
  • Do they need direction from you? So, now you are down to two shops that may be able to perform work on your specialized vehicle. As you question the two, you again find a deficiency in one of them. They have the capabilities, the tools and the space, but they can only do exactly what you tell them to. They cannot or will not assist with designing your solution, and cannot point out issues you will encounter, much less account for them. This, again, puts you in a hot seat. Your services contract has turned into space and tools for you to implement.
  • Finally ... the needle in the haystack. The last shop you review meets all the requirements and represents the complete solution. Almost like having a dedicated race crew to work on your specialized vehicle. Clearly this is the best choice for the services you need, but it was not easy to identify them. There were not many clues to lead you to them. All the same terminology was used to describe the services, and all three shops were giving assurances that you would get the services you expect.

There are only a small handful of managed security service providers that actually take on the specialized tasks for regulatory compliance, yet you will find many claiming to do so. They all use the same language to describe what they provide, but many simply provide the tools. Since most regulatory requirements include an analysis component, any service provider that is not doing analysis along with data collection will not meet the requirements. Yet they will advertise a fully compliant service offering by assuming the client will spend the time necessary to cover the analysis needs.

When GSI states that a service we provide can meet a requirement, we mean that the service fully meets the requirement. Just as if a full IT team were hired on. The challenge is educating prospective clients on the difference when being compared to providers with less-developed ideas about services.

Tags: , ,

Posted in: Services & Solutions

Share
Permalink | Comments (1)

Comments

June 12, 2010 3:17 AM #

Maceo D. Wattley, M.A.


Maceo D. Wattley, M.A.
Information Security Expert.


Good information Ed.  I would like to comment from a scholarly peer-reviewed approach on selecting an MSSP from a financial institution perspective.


Intelligence and Education from an Information Security perspective compliment each other during the selection process of a Managed Security Service Provider.  Information Security is the term used for protecting a computer or a network of computer systems from unauthorized access to prevent confidential and important information from being compromised.  Financial institutions represent an industry that is required to have minimum standards of Information Security in place to prevent any unwanted access to their network systems.  Financial institutions such as banks and credit unions are regulated by the Federal Financial Institutions Examination Council which performs yearly audits to check the level of Information Security being performed.  Some of the types of confidential information that financial institutions collect are bank account information, tax identification numbers, social security numbers, debit card numbers, personal identification numbers, passwords for online accounts, and credit reports.  Information Security helps to prevent this confidential information from being stolen thus causing identity theft, reputational, or financial loss.  

A Managed Security Service Provider is able to protect a financial institution from being compromised by protecting their entire network from malicious or suspicious attacks.  Managed Security Service Providers employ certified intrusion analysts with years of experience in researching threats and vulnerabilities to prevent potential attackers from gaining this important information.  Managed Security Service Providers are able to look at the network of a financial institution twenty four hours a day, seven days a week, and three hundred and sixty five days a year with experienced intrusion analysts that are staffed around the clock.  To be employed with a Managed Security Service Provider you must have a certain level of intelligence and education to perform the job of protecting a financial institution’s most important information from possible attacks.      

Managed Security Service Providers employ smart individuals with certifications proving that they are capable of dealing with the detection, prevention, and eradication of possible attacks that are both known and unknown.  Some of the certifications that financial institutions look for in a Managed Security Service Provider are GIAC Certified Analysts from the Sans Institute because it gives their organization a confidence that they are working with the best professional that has ongoing continued education in their field of expertise.  Continued education is a requirement to be certified and it promotes the education of ever changing threats within the Information Security industry by concentrating on the natural intelligences of the professional.  Certified employees sharpen their ability to learn through reasoning and problem solving as suggested by Gardner in his mathematical and logical intelligence. (Morrison, 2007, p.127)  This type of intelligence promotes Howard Gardner’s theory that people can be smart in many ways. (Morrison, 2007, p.127)  Gardner’s theory certainly makes sense for certified professionals in the realm of Information Security because most professionals in this industry are comfortable when something is measured, analyzed, categorized or quantified.  Mathematical and logical intelligence is used by certified professionals working for Managed Security Service Providers when they search and identify possible threats or attacks.  They must first detect the anomaly from the millions or billions of events that are monitored daily and this anomaly must be analyzed and categorized into small, medium, or high priority events. These events must then be analyzed and categorized to determine where the attack is coming from and how much information, if any, has been possibly breached.  Gardner’s theory on multiple intelligences explains why a person learns the way that they do and I believe that education compliments intelligence in the Information Security industry. (Morrison, 2007, p.127)  

The way that education compliments intelligence when it comes to Gardner’s theory on multiple intelligences, is by being able to put a plan in order with a process to further develop the mathematical and logical intelligence. This enhances the learning of the Information Security professional with the application of knowing how they naturally process what they take in. (Morrison, 2007, p.127) The Sans Institute understands how Information Security professionals are able to learn and they have several training strategies to accomplish training for their rigorous certification tests which include using verbal and linguistic intelligences as mentioned by Gardner. (Morrison, 2007, p.127)  Reading materials and face to face training boot camps allow the Information Security professionals to incorporate educational strategies to enhance their learning for industry best practices when it comes to test taking, but there are other views that disagree with my beliefs.

Lacayo mentions in his article that Murray and Herrstein believed that IQ is primarily an ability that one inherits through their genes (Lacayo, 2001).  Genes definitely play a part in intelligence, but there is no concrete research that supports Murray and Herrstein’s theory when it comes to Information Security or education. IQ’s have been used for many years to test individuals when it comes to intelligence, but that limits an individual’s thinking and prohibits them from reaching their full potential.  Through education, a process or a plan can be put into place to enhance the knowledge of the Information Security professional that can lead to higher incomes due to their unique skill sets.  Labor Secretary Robert Reich mentioned that there was a lot of data to support higher earnings for education and training (Lacayo, 2001).   According to Gardner, there are at least eight multiple intelligences and few occupations rely on a single intelligence (Garner & Hatch, 2007).  This is true because the world of Information Security encompasses everything from financial institutions creating policies and procedures, helping to create standards, governance, the managing and/or monitoring of firewalls, intrusion detection systems, intrusion prevention systems, auditing or compliance, and infrastructure.  These duties require Managed Security Service Providers to hire the very best professionals for their organization when it comes to protecting financial institutions private information on behalf of the bank or credit union.  These financial institutions must do their due diligence in determining the best Managed Security Service Provider for their clients.

In order to perform true due diligence from a financial perspective, financial institutions must use critical thinking to decide on which Managed Security Service Provider has the best certified professionals employed to help them with their company controls to effectively carry out the policies and procedures such as different levels of access for individuals, and then reporting that has documentation that maps back to the policies and procedures that need to be created.  Brookfield mentions that “critical thinking involves alternating phases of analysis and action” (Brookfield, 1987, p.23) It benefits the financial institution by hiring the most competent service provider in information security to mitigate risks whether reputational or financial.  An organization can also mitigate the possible impacts on the levels of risk associated with a possible breach by using certified professionals with a valued Managed Security Service Provider in Information Security through data evaluation mentioned by Schumacher (McMillan, Shumacker, 2006, p.95)  I find that within the field of Information Security, intelligence alone is not enough.  Intelligence must be used to seek out the most current educational opportunities available through certifications and higher education.  Seeking out current relevant educational opportunities is the true mark of intelligence.  

References
Brookfield, S. (2010). Developing Critical Thinkers Challenging Adults to Explore

Alternative Ways of Thinking and Acting. Danvers, MA. John Wiley Sons, Inc.

Education Development Center, Inc. (1990, March). Multiple intelligences go to school:

Educational implications of the theory of multiple intelligences. CTE Technical Report

Issue No. 4. Retrieved May 30, 2010, from

http://www.edc.org/CCT/ccthome/reports/tr4.html
  
Gardner, H., & Hatch, T. (1990). Multiple intelligences go to school: Educational implications of

the theory of multiple intelligences. CTE Technical Report, 1990(4). Retrieved from

http://cct2.edc.org/ccthome/reports/tr4.html
  
Gibbs, N. (1995, October 2). The EQ factor. Time Reports, Retrieved May 30, 2010, from

www.time.com/.../unit5_article1.html
Lacayo, R. (2001, June 24). For Whom the bell curves. Time, Retrieved May 30, 2010, from

www.time.com/.../0,9171,163109,00.html
James H, McMillan & Sally Schumacher. (2006). Research in Education Evidence-Based

Inquiry. Boston, MA. Pearson Custom Publishing.

Smith, M. (2008). Howard Gardner, Multiple Intelligences and Education. The Encyclopedia of

informal education. Retrieved May 30, 2010, from

http://www.infed.org/thinkers/gardner.htm

Morrison, G. (2007).  Early Childhood Education Today.  Upper Saddle River, NJ. Pearson


Maceo D. Wattley, M.A. Information Security Expert

Maceo D. Wattley, M.A.

Subscribe to the GSI Hosting blog Email an expert