MSSP Valuation - Information For Selecting An MSSP

Edward Ferrara

I attended two really great presentations at MSPWorld yesterday. This is a very interesting conference, sponsored by the MSPAlliance[i] and co-hosted with IT-Expo but focused on managed service providers. Both dealt with the issue of MSP (MSSP) valuation. Many of the attendees are SMB (MSP/MSSP) business owners and this was a hot topic.

So what is an MSSP worth and if someone wanted to buy a business like this how much should they pay?  This is an important question for Forrester’s IT clients because the rules of valuation can help IT clients evaluate potential partners.  Financial stability and the intermediate and long-term plans of the MSSP should factor into the decision of selecting an MSSP.  In any negotiation it’s also always good to know what the other side is thinking.  Here’s the list:

1.     Recurring Revenue – What is the firm’s recurring revenue profile? What are the sources of revenue and how much of this revenue comes from long-term (multi-year) contracts?

2.     Service Agreements – What is the nature of the service-level agreements the firm has in place with other clients?  Do they address risk management and risk sharing? How much liability is the MSSP willing to accept for regulatory compliance and information breaches?

3.     Service Revenues – What percentage of the MSSP’s revenue comes from what types of business?

Read more

New Research: Organizational Challenges

Andrew Rose

I was reading an article recently which outlined the different agencies employed within the United Kingdom to protect against cyber-threats.  Not including the armed forces, who would have specialist roles to play in any particular cyber-threat scenario, it transpires that there are 18(!) different players covering this space, each with overlapping strategies, policies and expenditure.  The formal report, from the UK Government’s Intelligence & Security Committee, was wonderfully understated, speaking of "confusion and duplication of effort".

Such difficulties bring to mind the challenges we face in our global organizations, which are often made up from different corporate entities.  Similar issues can happen to our security management functions - we overlap, overspend and contradict – all to the detriment of the enterprise as a whole. Managing a global information security function in an optimal manner is no easy task; it takes careful planning, an understanding of essential roles & responsibilities and the ability to manage some elements remotely.

I’ve recently published two papers relating to these very topics. If you are considering a reorganization, or just interested in what top performing security organizations look like right now, check out these links:

New Research: Develop Effective Security Metics - Published this Month

Edward Ferrara

This month I published a new report on information security metrics, best practices as well as a maturity model to measure your maturity in the reporting process.  This report outlines the future look of Forrester's solution for security and risk (S&R) professionals looking to build a high-performance security program and organization. We designed this report to help S&R pros develop and report the appropriate security metrics for their security organization. Security metrics are a key initiative for chief information security officers (CISOs) today, but many struggle with picking the right metrics. Some CISOs use a broad-brush approach, using operational metrics to demonstrate security. The problem with this approach is that most people don't understand what the metrics are saying, and they don't understand how these metrics make their lives easier or harder. Good metrics are easy-to-understand, incite actions, and change behavior by providing a clear idea of why the audience cares. When CISOs present metrics, they must be able to clarify "What it means" and "What's in it for me?" Use this paper as a set of guidelines to develop a well-formed security metrics strategy and to drive behavior change and improve performance.

Take a look at these links:

Planning For Failure, Personal Edition -- Strategies To Protect Yourself In 2012

Rick Holland

This week I did a webcast, Planning for Failure, which makes the assumption that if you haven't been breached, it is inevitable, and you must be able to quickly detect and respond to incidents.  An effective response can be the difference between your organization's recovery and future success or irreparable damage.  While I was working on the slides for the webcast, I started to reflect back on the 2011 security breaches that personally impacted me.   Three breaches immediately came to mind:

  1. Texas Teacher Retirement System -  My personal data was stored unencrypted on a public server
  2. Epsilon - Email compromise that resulted in increased phishing attempts
  3. STRATFOR - My personal information, credit card and password hash were stolen
Read more

Virtualization Security, Better Late Than Never

Rick Holland

I am excited to announce my latest research, The CISO's Guide To Virtualization Security. This is the first report in a new series focusing on securing virtual environments.  The reduced costs and flexibility of virtualization have led to widespread adoption of the technology.  Despite this adoption, security and risk professionals haven't given their virtual environments the attention that is required.  Our research interviews revealed several themes:

  • Business as usual is the status quo. IT departments rely upon traditional security solutions (end point and network security) to secure their virtual environments.  Depending on the network architecture, virtualization can create blind spots in your network leaving you blind to intra-virtual-machine (VM) communication. 
  • Many security pros aren't aware of the virtualization aware solutions available on the market. One CISO we spoke with wasn't aware that his organization's current antivirus vendor offered a virtualization aware solution.  This isn't necessarily surprising; many of the virtualization aware security solutions are relatively new to the market.  Virtualization aware solutions afford us the ability to have potentially greater visibility into workloads than we might have in our traditional physical environment.
  • Many security pros have a general discomfort with virtualization. Security pros, especially CISOs and other security leaders who have risen up the technical ranks, aren't as confident in their virtualization knowledge as they would like to be. This is particularly the case when we compare virtualization with more mature security areas, such as network security.
Read more

More Holiday Cheer: SCIM Cloud Provisioning Standard Reaches A Big Milestone

Eve Maler

I've blogged and published research before about the emerging Simple Cloud Identity Management (SCIM) standard. The SCIM group has just approved Version 1.0. No, it's not your imagination: important standards around loosely coupled identity management really are being developed, tested, and deployed at a faster rate than ever before.

What does this new pace mean for security pros? New identity protocols can be disruptive to large enterprises that have already deployed older solutions, but these new solutions will enable IT organizations to reduce costs and improve agility in managing access to/from smaller partners and customers that don't have the means to deploy the heavy stuff. That makes access control easier to achieve in a Zero Trust world. (Andras Cser and I touch on the theme of "leaner and cleaner" identity protocols in our just-published Identity And Access Management: 2012 Budget And Planning Guide, and I do a deeper dive, assessing the future of SAML and the business value of newer federation protocols, in OpenID Connect Heralds The "Identity Singularity".)

Read more

A Christmas Present From MIT?

Andrew Rose

As much as the cloud computing model makes sense to me, my security sensibilities cry out about information risk every time I start to consider actual implementation for data of value across an enterprise.

A model which has always made sense has been to place only encrypted data in the cloud, holding the keys locally. This solution gives you control over data access, bypassing any Patriot Act concerns, but allows realization of the benefits of a shared, cloud infrastructure. It has always been recognized, however, that this solution has a number of drawbacks, such as:

  • The immense corporate sensitivity of the encryption keys utilised. These keys become essential to doing business.  If they are corrupted, lost or held hostage by hacktivists, for example, then the organization stops dead in the water.  
  • The difficulty of creating indexes, searching and applying transactions across encrypted data stores. If the concept is to keep the keys away from the cloud environment then actions such as indexing, searching or running database functions become very challenging.
Read more

Xmas IAM Spending Spree: Quest Software Acquires BiTKOO, Enters IAM Suite Provider Market

Andras Cser

With only 4 stack players in Identity and Access Management, it is always welcoming news to see a new company joining the space. Quest Software is on a shopping spree: it acquired e-DMZ (privileged identity management), Völcker Informatik AG (provisioning), Symlabs (virtual directories), and now BiTKOO (XACML entitlement management). Forrester expects that in reaction to its main competitor NetIQ taking over Novell’s IAM portfolio, Quest will expand significantly into the non-Windows, heterogeneous IAM space. Forrester further expects that Symantec and to some degree Intel will follow suit, as both of these companies announced cloud-based IAM offerings.

A European Perspective On The USA PATRIOT Act

Andrew Rose

The USA PATRIOT Act (more commonly known as “the Patriot Act”) was signed into law by George W. Bush on October 26, 2001 as a response to the September 11 attacks. The title of the act (USA PATRIOT) is actually an acronym that stands for “Uniting (and) Strengthening America (by) Providing Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism”. Many aspects of the Act were to expire in 2005; however, renewals and extensions mean that the Act is here for a while yet.

For Security & Risk Professionals, the Patriot Act comes up in conversation mostly with regard to data access. The Act suggests that the US government is able to gain access to data held on US soil, or even by a US firm outside US territory, without the data owner being notified; this is of significant concern when it comes to considerations around the adoption of cloud technology. EU-based organizations are concerned that utilizing cloud as part of their infrastructure will make their data accessible to the US government. In 2004, the Canadian government passed laws prohibiting the storage of citizens’ personal data outside their physical boundaries, and a recent news article suggested that one large UK defense contractor walked away from Microsoft’s Office 365 due to lack of assurances on data location.   

Read more

InfoSec: Enterprise Architecture Building Codes

Edward Ferrara

There are many types of criminals. These include thrill-seeking hackers, politically motivated hackers, organized criminals after financial gain, and state-sponsored groups after financial gain and intellectual property or both.  Any of these have the potential to break these capabilities through information loss, or denial of service. Business processes and their associated transactions need to look at information security as a key component of any architectural design we might create as Enterprise Architects.

Security architecture is dependent on the idea of “security.”  Security by some definitions is the trade-off of convenience for protection.  When I am unloading the car and have an armful of groceries, it's challenging to unlock the front door at the same time. Alternatively I could just leave the front door unlocked but that might invite guests I had not planned for. So I trade convenience for protection.

  • Security is often seen as in conflict with business users; however, security is a process that protects the business and allows it to effectively operate.
  • Security is in response to perceived business risks.
  • Security can be seen as a benefit and a business enabler and can aid organizations to achieve their business objectives.
Read more