Managed Security Services (MSS) is increasingly cloud-based (via software as a service (SaaS), providing a relatively predictable operational expense for meeting the challenges of managing mobile applications and email, securing sensitive data, and managing social media. Enabling usage of these modern tools satisfies the desire of the business unit (BU) to innovate, while satisfying IT security with network protection from rogue access and inadvertent information leakage.

In a recent conversation with a CEO, IDC learned about a movement towards “Build Your Own IT (BYOIT).” This CEO did not like the scenario of BUs going rogue and circumventing corporate IT in the interest of business innovation. He had seen situations where IT determined that a proposed software deployment was too insecure. BUs complained that IT’s costly, complex, and slow solutions would eliminate the competitive benefit. After all, the BU is tasked with generating revenue and satisfying customer trends toward mobile applications, social media engagement, and cloud-based tools. IT can be seen as a Luddite and an obstacle to customer demands.

Embracing BYOIT helps reduce risk

Rather than resist it, we have seen a few IT departments embrace this trend. They brave the BYOIT option by working with the BU to understand its requirements. To ensure compliance with policies and regulations, IT and the BU partner with an MSS provider (MSSP). Collectively, they may allocate the risk so there is a clear understanding of responsibilities. In some cases, the BU may bear most or all of the risk. The BU can be innovative and aggressive, but this partnership also helps provide mutual understanding of what the risks are. This partially or fully removes IT from the budget cycle discussion as an agreed-upon benefit.

We should caution that this compromise presents elements of Pandora’s Box. It can decrease IT effectiveness and damage its ability to enforce crucial controls. It can also be harmful to the company as a whole. The BU may be less inclined to negotiate prices and T&Cs because it is more intent on getting the new service up and running to meet customer demand and to take advantage of potential revenue. At some point in the future, senior management and/or the BU may decide to cede control back to IT. At this point the security weaknesses, poor controls, and hastily written contracts can disrupt IT operations unless there is careful due diligence.

Engaging an MSSP can add advantages and insight

A solid relationship with a reputable MSSP that has its own controls can offset this possibility, however. Engagement with an MSSP centralizes operational management of security and provides a “one throat to choke” relationship with pre-determined requirements and service level agreements (SLA). This can help manage BYOIT if BUs are provided with a route for suggesting new cloud-based applications. The MSSP has the economy of scale to draw from in order to scale up or down service level agreements and can build the new engagement into a predictable operating expense for IT. The MSSP also has experience in a broader portfolio of SaaS offerings than IT and may have had experience implementing the very same application the BU is interested in deploying. And, finally, the MSSP can be used as a trusted advisor to offer insight on the efficacy of said application, warn against it, and suggest alternatives if the BU hasn’t done the necessary due diligence.


This blog is co-authored by Christina Richmond, Program Director, Infrastructure Security Services, IDC


For more information on MSSPs, download the IDC Whitepaper, sponsored by AT&T: 

Content Preview

Given today's ever-evolving threat landscape of increasingly sophisticated and difficult-to-detect advanced persistent threats (APTs), denial of service (DoS), and distributed denial of service (DDoS) attacks, the enterprise faces a severe challenge in defending the entire environment, from the perimeter to the endpoint, completely alone. At the same time, IT organizations are pressured by board-level oversight to improve the administrative efficacy of security.