RSA 2009 has been in the can for over a week now, and I’ve had some time to reflect on the state of security since the economy broke it’s nose on the market floor. Gartner released reports saying that security spending was not cut as hard (if at all) when compared to other areas inside companies. People on the expo floor had mixed experiences as well. The four common themes I discovered were:

  1. Non-essential security spending was cut (but things you have to do like SOX and PCI are fine)
  2. Headcount was cut
  3. No change
  4. My hair is on fire

Regardless of the theme, more security professionals are warming up to the idea of Managed Security Services. While most of us want to command a SOC that is significant in both size and value to our company, our companies’ executives look at the expenditure required to build said SOC and have to decide if they are in the security business or not.

Most are not.

So in order to meet the mounting threats that our overworked teams deal with every day, we need to figure out what elements of our program are best outsourced to people in the business of security, and which ones are not. Many companies start immediately looking at things like IDS management/monitoring, firewall management/monitoring, and log management. Those are excellent choices for sizable environments supported by a small team. Not only does it allow you to delegate these tasks to outside experts that do hundreds, if not thousands daily, it also allows you to re-deploy YOUR experts to focus on strategy and building value for your company.

Sounds great, doesn’t it?

With the right company, it sure is great! Don’t stop reading here–I’m not going to suck you into a drawn out pitch for VeriSign’s MSSP services (but feel free to inquire about them!). But I want to caution any purchaser of managed security services… you are not buying a light switch!

I’ve recently figured out that most companies that purchase managed security services think they should work like a light switch. They just flip it on, and magically things start working.

The reality is that managed services require tuning and up-front investment to make them work well. This means that your first year costs will be dramatically higher than future years for the same scope of systems. It also means that any time you change the scope, you must account for the same type of startup costs for the new scope. Managed services can work like a light switch, provided you install that switch properly.

So remember, if you are considering outsourcing parts of your environment, you will have to invest some time and money up front to make sure you get the most value out of the service, and keep long term costs in check. Focus less on the monthly recurring cost and focus more on total cost of ownership over multiple years1, and be sure you invest in the future!

This post originally appeared on BrandenWilliams.com.

  1. Kind of like buying a car, right? If you are getting a loan, focus less on the monthly payment and more on the total cost of the car. Oh, and reject the first offer. []