Security, storage give rise to managed services

By Linda Tucci, Senior News Writer 27 Feb 2007 | SearchSMB.com

Technology news and tips for midmarket CIOs Digg This!     StumbleUpon     Del.icio.us

[If] the partners do their jobs and the CIOs do their jobs, the ROI can be very significant. Vic Fischer VP of IT, Colliers International

In a survey of 322 organizations, CompTIA found that 30% of all users of managed services plan to invest in or increase spending on managed security services this year. Thirty-three percent said they plan to purchase or spend more on managed storage, backup and disaster recovery services. Web or email hosting is another spending priority, followed by network monitoring, Software as a Service and application subscriptions.

The surveyed organizations ranged from small businesses with 20 or fewer employees to large enterprises with 1,000 or more employees and $250 million or more in annual revenue,

The managed service model -- defined in the survey as the "ongoing management, monitoring and maintenance" of IT infrastructure and services -- is here to stay, said Richard Rysiewicz, vice president of services for Oakbrook Terrace, Ill.-based CompTIA.

"The strength of the managed service provider model from the CIO's perspective is that the provider becomes much more of adviser rather than a resource you use on an ad hoc basis," Rysiewicz said. "When most people talk about managed services today, what they are really talking about is a business relationship between a customer and service provider, similar to a lawyer or an accountant."

Leave the esoteric to the MSP

In a rapidly evolving technology environment, leaving it to the experts can be the most prudent approach, he added. "A CIO may know a lot about databases or the applications used by the organization, but not about the newest wireless technologies; the managed service provider takes care of that," Rysiewicz said.

More on managed services Managed security services -- an SMB option Managed security services: What's right for you?

This is particularly true for security, argues Forrester Research Inc. analyst Paul Stamp, a former systems architect with the Global Security Practice at Unisys Corp. In a report published earlier this month on managed security services, Stamp says the days are gone when an organization can single-handedly manage all the security risks to its IT environment. In an interconnected world, sensitive information is shared among vendors, suppliers, customers and even competitors, each of whom shoulders some security responsibilities.

"An organization that doesn't consider outsourcing at least some security tasks on the grounds that it needs to maintain total control is missing the point," Stamp said. "A security provider can take on many of the more esoteric or difficult security tasks, often more efficiently and effectively than an internal team, leaving the security team to focus to concentrate on its main purpose: aligning security strategy with the core business."

Indeed, respondents in the CompTIA survey listed a lack of in-house expertise and the more euphemistic, "It allows us to focus on core competency," as main reasons for using managed services. About a third said using a managed services provider (MSP) is cheaper than doing the work themselves.

ROI: A compass

Whatever the reason, the rising demand for managed services is driving a fundamental shift in the provider business model, Rysiewicz said.

"The industry and the end users are all starting to see the same need, and that need is that you have to demonstrate a return on investment on the service you provide," Rysiewicz said. "CIOs are getting pressured by their organizations to show the ROI when they invest in a particular technology. Now the CIO is going out to the managed service provider and asking the same thing: 'If I invest in you, what is your ROI?'"

Five tips to successful managed security services work 1. Make a list of the five high-level characteristics of your security environment, then ask to speak with customers whose IT, business and even geographical environment closely mirrors yours.  Tend to the basics: Put someone in charge, involve all the stakeholders and bring in the procurement team early. 2. Clearly define the terms of your agreement up front. Service-level agreements should include metrics for availability and response times for alerts, changes and prevailing threats on the Internet. 3. Clearly identify the vendor team that will look after your environment and make sure the people assigned to your account are experts in the issues important to your organization. Work out in advance when these experts are on call, because not all security operations centers are equally staffed at all times. 4. Going local has its benefits. Because communication is so important in security, companies often find having a local security operation makes more sense than signing up with the central center. 5. Establish regular reviews. Metrics-driven organizations increasingly want to do this quantitatively. Other organizations may seek qualitative reports of issues and actions taken. Augment this with regular status meetings, typically every two weeks.   Source: Forrester Research: "Making A Success of A Managed Security Services Engagement," by Paul Stamp, Jonathan Penn and Alissa Dill.

One obvious benefit is the cost savings realized by reducing or eliminating downtime, because the service provider managing the system is continuously and proactively monitoring it. "If you can reduce downtime, the cost savings can range from thousands to millions of dollars, depending on the size of the organization," Rysiewicz said.

ROI starts with due diligence and a good contract, he added. "If you get true partnerships and you structure these deals well, and the partners do their jobs and the CIOs do their jobs, the ROI can be very significant." CompTIA is doing its part, he added, by coming out later this year with the equivalent of a Good Housekeeping Seal of Approval for managed service provider best practices.

CompTIA might want to consult with Vic Fischer, vice president of IT at Colliers International, a San Jose, Calif.-based commercial real estate firm with 12 offices and more than 400 brokers and a small IT staff.

Colliers uses managed services from Sprint Nextel Corp. to provide firewall protection, Internet connectivity and Network Address Translation and domain name server services between its private network and the outside world. Fischer defines the arrangement as managed service, not outsourcing, because Sprint has "nothing on their premises that actually belongs to us," Fischer said in an email. The chief benefit has been to keep the responsibility for the wide area network (WAN) function "all with one party and avoid finger-pointing."

"The chief drawback has been that when we want to make changes, as we recently did to improve the flow of email traffic to and from the Internet, Sprint's procedures guarantee that the change will take at least five business days," Fischer said.

Colliers does not use outsourced services, Fischer said, after flirting with a deal to outsource Exchange to a third party. "There's also a subjective flavor to all this," he added, related in large part to "how visible the service is to the user base."

"While a problem with the WAN might have an immediate and direct effect on our users' activities, the network is kind of a deus ex machine to them and knowing which party has direct control over which part is not of interest," Fischer explained.

Email, on the other hand, is very real to his users, and knowing their firm would be dependent on a third party might raise concern.

However he, too, is looking at using more managed services, including Redmond, Wash.-based Azaleos Corp. for hosting and support of Exchange, and perhaps an MSP for storage, given the firm's penchant, he added, for "saving everything in sight."

Let us know what you think about the story; email: Linda Tucci, Senior News Writer

Tags: Information security management for the midmarket,  Data storage for the midmarket,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information security management for the midmarket Droid does, but will IT support it? Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility Information technology management e-book downloads for midmarket CIOs 10 must-have steps for an effective SMB information security program Your IT security budget: How to get more bang for the buck Using key risk indicators to sell your information security program IT security spending a bright spot in '09, with more growth predicted Data storage for the midmarket Data storage technology: Know your FAQs and options Midmarket data center management guides: Tips and best practices What do you know about data center outsourcing? Virtualized storage and SANs drive disaster recovery plan Disaster recovery plans solve bare-metal recovery problem via VMware The price of data center outsourcing: Security, costs and more explored Data center virtualization: User best practices Firm moves from tape backup to managed backup and recovery service IRobot CIO dishes on virtualization, disaster recovery and compliance Leading iRobot's IT: Virtualization, disaster recovery and compliance

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary