Author version, final version published in Proceedings of IEEE CloudCom 2015, Vancouver BC,

http://ieeexplore.ieee.org/xpl/abstractAuthors.jsp?reload=true&arnumber=7396204

Passing the Buck:

Outsourcing Incident Response Management
Alfredo Ramiro Reyes Zúñiga∗ and Martin Gilje Jaatun†
∗ Department of Telematics, NTNU, Trondheim, Norway
† SINTEF ICT, Trondheim, Norway

Abstract—Many organisations are outsourcing computer oper- standards in Section III. We provide more background on
ations to third parties, and the next logical step is to outsource incident management in Section IV, and present our results
management of computer security incidents as well. This paper in Section V. Section VI concludes the paper.
describes a case study where we have studied several organisa-
tions who are active in this space today. Our results indicate that
outsourcing of incident management is a viable security approach II. R ELATED W ORK
for many organisations, but that transitioning between providers
frequently is a challenge.
Index Terms—Outsourcing; incident response; security The term incident management refers to the actions and
mechanisms used to manage information security incidents.
I. I NTRODUCTION It is used to describe the collection of tasks involved with
Today’s evolving Information and Communication Tech- the incident response life-cycle. These tasks include plan and
nology (ICT) environment requires connecting not only new prepare for, detection and reporting, assessment and decision,
applications and devices, but also new providers and partners. responses, and lessons learnt to prevent future incidents.
As a result the ICT environment has been gradually outsourced Different standards, guidelines and frameworks have direct
to third parties, expanding the security perimeter. Some or- and indirect remarks on incident management. Those that
ganizations are moving their ICT infrastructure to the cloud, are most notable among the information security community
where the options for incident response are either null or de- are: NIST SP 800-61 [1], ISO/IEC 27035 [2], ENISA Good
pending on third parties, with legal and accountability issues. Practice Guide for Incident Management [3] and ITIL [4].
Moreover, attackers (motivated, skilled and well-funded) are These standards, guidelines and frameworks will be described
discovering new attack vectors, while defenders have to take in Section III.
care of multiple technologies and keeping them and themselves Siepmann [5] describes outsourcing as contracting out ser-
updated. vices, previously performed internally, to a third party. Both
Incidents will occur sooner or later, but the important thing the third party and the organization contracting out the services
is to detect, contain and eradicate the incident quickly and take part in a contractual agreement that involves payments,
effectively to reduce the impact to the organization. How- and exchange of services.
ever, organizations under-invest on prevention and suffer from A great amount of academic literature related to incident
scarcity of skilled personnel. An evolving threat landscape management and managed security services (MSS) has been
and the lack of expertise in many organizations require new published. Nevertheless, the literature focused on outsourced
strategies to balance the need to manage incidents effectively. incident management services is scarce. Siepmann [5] presents
Some companies provide outsourced monitoring and man- an analysis on security and privacy impacts when outsourcing
agement of security devices and systems. Outsourcing inci- Information Technology (IT) processes as well as recommen-
dent management services seems to be a cost-effective way dations on outsourcing preparation. Sherwood [6] studied the
to satisfy some organizations’ requirements. These kinds of concerns regarding security of information within outsourced
providers are able to see a big picture view, by using the settings. The study presents a strategy to manage information
knowledge acquired by their solutions as their advantage. security on outsourced technical services.
A. Participants The study performed by Tøndel et al. [7] on current prac-
The participant organizations is this study are transnational tices and experiences with incident management, identified the
organizations selected based on the managed security service practice of incident management in outsourcing scenarios as
provider’s (MSSP) market presence. Five large MSSPs con- one of the challenges for incident management. In accordance
tributed to the interviews. with their study, there is a need for improved understanding
of the challenges of incident response in outsourcing scenar-
B. Paper Structure ios particularly when several suppliers are serving the same
The remainder of this paper is structured as follows: We customer.
present related work in Section II, and elaborate on relevant Maj et al. [3] discuss the outsourcing of incident manage-
ment from the Computer Emergency Response Team (CERT1 ) • Containment, Eradication and Recovery.
point of view. They suggest hiring the right people to guide • Post-Incident Activity.
the outsourcing process since it is a challenging project that
should not be underestimated. Maj et al. recommend keeping B. ISO/IEC 27035:2011 Information security incident man-
control over the incident handling services and not outsource agement
those elements of incident handling that provide control such This standard [2] provides guidance to incident manage-
as incident reports, registration, triage (including verification ment. It offers a structured approach to deal with incidents
and classification) and the overall coordination of incident including planning, detecting, responding and thereafter ex-
resolution. Some of the reasons given to outsource incident tracting lessons learnt. ISO/IEC 27035:2011 presents five
management related services are [3], [8] : phases with recommended activities. These phases are:
• Cost. • Plan and Prepare.
• Difficulties in hiring, training and retaining staff. • Detection and Reporting.
• Services you might not want to provide yourself. • Assessment and Detection.
• Physically hardened facilities with latest infrastructure. • Responses.
• Enterprise-wide management of security strategy. • Lessons learnt.
• Access to threat and countermeasure information. ISO 27035 aims to assist organizations in satisfying the
• Global prosecution. requirements for establishing, implementing, maintaining and
• Service performance 24x7. continually improving an Information Security Management
There is a need for research on the topic of outsourced System (ISMS) specified in ISO/IEC 27001:2013 [10]. ISO
incident management services since related information is 27035 provides guidelines on the implementation of good
scarce [9]. Siepmann’s work [5] addresses management of practices on information security management presented in the
information security incidents but his comments are only standard ISO/IEC 27002:2013 [11].
considered on managing incidents in outsourcing settings and
C. ENISA - Good Practice Guide for Incident Management
not managed by a trusted third party outsourcing the services.
Sherwood’s study on management of security on outsourc- ENISAs guide [3] provides guidelines for security incident
ing contracts [6], does not have an assessment on incident management. It provides recommendations on the creation of
management. Tøndel et al.’s study on current practices and a CERT and assists on preparing its mission, constituency,
experiences with incident management [7] does not describe responsibility, mandate organizational framework and the type
any outsourced incident management experiences or practices. of services, in terms of the incident management process, that
The good practice guide for incident management published can deliver.
by Maj et al. [3] only addresses outsourcing of incident This guide highlights the incident handling process, and
management from the CERT’s perspective. provides related information on roles, workflows and policies.
ENISA’s guide pays no attention to the preparation phase and
III. S TANDARDS AND GUIDELINES focuses on the incident handling process composed by four
This section introduces some standards containing informa- phases: detection, triage, analysis and incident response.
tion regarding incident management.
D. The ITIL Framework
A. NIST Special Publication 800-61 The ITIL framework [4] is a source of good practice
This standard [1] aims to assist organizations in mitigating for service management that focuses on aligning IT services
risks from computer security incidents by providing guid- with the needs of the organization. The main goals of the
ance on establishing incident response capabilities. It includes incident management lifecycle are to reestablish a normal
guidelines on building incident management capabilities and service as fast as possible and to reduce unfavorable impact on
the interaction with external parties, such as vendors or Com- business operations. During the incident management process,
puter Security Incident Response Team (CSIRT). resources are assigned to different activities such as identi-
NIST SP 800-61 describes in detail the four major phases of fication, registration, categorization, prioritization, diagnosis,
the incident response life cycle. These phases are (see Fig. ??): escalation, investigation, resolution, recovery, and incident
• Preparation. closure, in order to mitigate and minimize the impact of
• Detection and Analysis. incidents. The incident management process can be triggered
by incident reports coming from diverse sources.
1 The term CERT was used for the first time by the Computer Emergency
Response Team Coordination Center (CERT-CC) at Carnegie Mellon Univer- IV. I NCIDENT MANAGEMENT
sity. Some teams around the world took the CERT term and other teams used
the term Computer Security Incident Response Team (CSIRT) to point out the There is a lack of consistency in defining incident manage-
task of handling computer security incidents instead of other technical support ment across the standards and guidelines as well as in the in-
work. The terms CERT, CSIRT, Incident Response Team (IRT), Computer formation security literature. The terms incident management,
Incident Response Team (CIRT) and Security Emergency Response Team
(SERT) have been used interchangeably in the literature to refer to teams that incident handling and incident response are in some cases used
aim to mitigate the impact of a potential major information security incident. interchangeably. However, these terms have a different scope.
 is more convenient to use a third party to provide a particular
service. On the other hand, fully outsourcing incident man-
agement would be an option for those organizations that want
to focus uniquely and completely on their core services and
rather outsource anything else.

B. Managed Security Service Provider

Outsourcing incident management services is not an option
that all organizations would consider, since it may be perceived
as providing control and access to the digital assets. However,
outsourcing incident management services is all about a secu-
rity partnership with one or more trusted third parties.
Managed Security Service Providers supply organizations
with expert teams and systems, improvement in performance,
Fig. 1: Incident Management, Incident Handling and Incident reduction in capital investment technology and resources, and
Response relationship meticulous activities to exhibit to auditors and regulators.
Depending on the contracted services, MSSPs are able to
TABLE I: Incident management models [9] provide support to the organization or (if existent) the organi-
zation’s incident management team to manage incidents and
Capabilities to supplement or support the existing security infrastructure.
Organization side Provider side Outsourced Ferrara and Hayes [15] categorized MSSPs in three cate-
Full-time Full-time Partially outsourced gories, based on their size and capabilities. The first category
Execution Part-time Part-time Fully outsourced involves the largest enterprise-class providers. These MSSPs
Virtual team Virtual team provide multiple security operation centres (SOCs) in multiple
geographic locations, proprietary or significant enhanced tech-
nology, full portfolio of standard services and multi-language
Incident management is part of a comprehensive security support. The second category has the emerging MSSPs. These
programme for information security governance [3] [12]. Kill- MSSPs have one or two SOCs, significantly enhanced tech-
crece et al. [13], emphasize that incident management is not nology, full portfolio of services and language support in one
purely an IT issue, but a wide overview of the organization’s to two languages. Finally, the third category includes many
security, risk and IT management functions. Alberts et al. smaller firms that serve the small business market. These
[14] explains that incident management encompasses incident companies have a single SOC, no threat intelligence services
handling, incident response and a larger set of activities such unless reselling another company’s service, narrow portfolio
as vulnerability handling, artefact handling, security awareness of services and support in a single language.
training as well as other proactive services and security quality
management services. V. R ESULTS
Chichonski et al. [1] and Maj et al. [3] present Incident
handling as a whole lifecycle where incident response is one of This section presents findings from the case study. The col-
the phases. Incident response is an organized approach to react lected data was prepared in a common format and categorized
to a security breach or attack. The goal is to contain, eradicate based on key themes.
and recover from the situation in a way that limits damage The findings are organized based on three different stages:
and reduces recovery time and costs. Fig. 1 explains the Pre-operation, Operation and Post-operation. Pre-operation
relationship between incident management, incident handling refers to the stage where an organization has not created a
and incident response. contract with any provider to acquire incident management ser-
vices. Operation describes the stage where there is an ongoing
A. Incident management models contract between the customer and the provider to outsource
Reyes [9] classified the incident management models ac- any kind of incident management services. Finally, the Post-
cording to an organization’s capabilities, human resources and operation stage deals with a normal contract completion or an
expertise (See Table I). The outsourced incident management early termination.
model is usually followed by organizations focused on their Organization A describes that good communication with
core activities or by organizations looking for cost reductions. internal incident management teams depends on the customer’s
The focus of this paper is on the outsourced incident manage- forensic readiness, meaning that the customer is prepared and
ment model. the stakeholders are involved in the case. If there is not a
The incident management could be partially or fully out- proper working model in the internal incident management
sourced in this model. Selecting a partially outsourced ap- team, there might be communication conflicts due to a lack of
proach could be based on the lack of certain expertise or when internal communication.
 A customer that has security controls in place, trains its is no way that a provider can promise to get to the bottom
people, has implemented security awareness and knows what of something in an investigation in a certain period of time
might be the threats gets more benefit of the outsourced because each situation is different. It is hard to state SLAs
incident management services. Organization E describes that because there is no level of predictability in these kinds of
when internal incident management teams are mature and situations.
self-sufficient, they look for assistance in services that are
too complex. Organization A and C explain that outsourced A. Pre-Operation
incident management services could benefit an internal inci- 1) Identifying the services needed.: Many of the services
dent management team by providing it with more man-power, are named differently by different providers which makes it
specialized services, managerial skills, a global perspective on more difficult for non-security aware costumers to find out
threats and multiple sources of intelligence. However, in some the right services. Organization A recommends to make an
cases it might affect internal teams that are trying to respond in depth search of the services and then get an independent
in the same manner if there are not clear lines of responsibility view from a third party, helping to understand what their
in terms of which team does what type of tasks. Besides some strengths and weaknesses are and what might be suitable
internal incident management teams might get affected by a for the company. Organization C recommends that providers
reduction of staff. should be clear about where these services are located in
Organization B comments that current incident management the incident management process, where the starting point
teams benefit from participating on discussions and inputs is, where the ending point is and what are the resources
coming from the provider getting a different perspective in required from the customer in order to implement the services.
order to make decisions and reach agreements to deal with an Organization D recommends providers to devote time helping
incident. potential clients to understand how what they are doing is
Organization D highlights that some internal incident man- different from what others do and what some of the differences
agement teams might perceive the MSSPs as the help needed in their proposal are.
to prevent being fired when an incident is out of control. 2) Choosing the right provider.: Companies are not aware
Organizations A and D describe that they offer different of the broad diversity of providers that can offer to them
types of SLAs in terms of different services. Organization incident management services. Organization A advises the
A’s responsibilities and penalties are dependent on what the companies to have a subscription or a working relationship
customer is looking for and is willing to pay. The penalties with an analyst company or a neutral third party in order to
differentiate on what services are outsourced, traditional man- get an independent view of the providers, helping to under-
aged security services or managed incident handling services, stand the MSSP market segmentation, provider’s capabilities,
the level of the incident missed and the severity of the attack. flexibility and customer satisfaction.
Organization B explains that the roles and responsibilities 3) Taking into consideration the staff morale.: The staff
are dependent on what the client wants, the higher the SLAs morale might be affected by the decision of outsourcing
the more they have to pay because it requires more staff. Or- services that were previously run in-house. Organization B
ganization B offers different types of SLA’s not only in terms recommends involving the staff, and making them understand
of different services but also according to the environment why the decision was made and try to make it positive.
(production, test, development, etc.). The SLAs related with 4) Adapting to a foreign language communication when
the production environment have higher cost and penalties using global outsourced services.: Outsourcing services to
than the rest of the environments. The penalties at the SLAs global companies might impact the internal communication,
might differ from account to account. However, Organization since the staff might not be used to talking to people in
B has compensation agreements, meaning that if an SLA is another language such as English. Organization B recommends
missed and there is a penalty, the compensation agreement taking the internal communication into account when choosing
could be used in order to condone the penalty as long as the a service provider.
compensation agreement is achieved. 5) Predicting resources and justifying them inside the busi-
Organization C has very specific SLAs for incident reporting ness.: Customers may have a very difficult time predicting
or detection. If there is an incident or suspected incident, how much resources or help they are going to need and
there is an escalation process to notify the customer, which is justifying it within their business. Organization E advises to
done by phone or by other means, based on its severity. But take advantage of cyber-attacks reported in newspapers as
Organization C uses a different set of SLAs when it comes to headlines or in the news to make justifications easier.
incident response. Responsibilities and penalties are dependent
on what is being offered and what the consequences are for B. Operation
the customer. 1) Providing emergency response services to new cus-
Organization E considers that there is no way to promise tomers.: Emergency response services are those that com-
some customer that the provider’s resources will be on site panies can call to during 24 hours every day of the year
within a very specific amount of time. Everything is done when they have an emergency. Organization A advises that
of best effort and there are no artificial time limits. There experienced security professionals which have developed their
skills through different cases are the most suitable to provide 8) Cultural differences might impact the working be-
help quickly in an unknown infrastructure, being fast and haviour.: Offshoring is the relocation of an outsourced service
efficient on analyzing what happened, how can it be stopped from one country to another that provides cheaper labor costs.
and finding out what systems are in scope, in order to make The cultural differences in those outsourcing destinations
the right choices for the response. Organization C describes might impact the communication and the working behaviour
that some customers prefer to engage multiple providers when in the provider’s staff. Organization B explains that having
emergency response services are required. workers with big cultural differences demand follow up activ-
2) Having appropriate staff to provide response to emer- ities and inter-cultural communication in order to understand
gency response calls.: MSSPs require having people available the differences and get the job done.
to respond when needed. Organization C advises that providers 9) Unavailable offshore personnel working in countries
should be prepared to provide the appropriate people at the with natural, societal or political risk factors.: Different
appropriate time, since their staff might be actively engaged circumstances such as natural disasters, strikes or riots among
in different tasks. Providers should have at least enough staff others might restrict offshore workers to reach their working
for those costumers that have contracted services. place. Organization B describes that having offshore offices
3) Communication between external and internal incident spread over different locations is a good way to spread the
management teams.: Internal communication within an inci- risk and not have an impact on the offshore services provided.
dent where clear roles and communication mechanisms have 10) Multiple providers interaction during an incident.:
not been established in the internal incident management team Customers may have multiple providers supporting the same
can cause communication conflicts. Organization A describes incident which, even if they are assigned to do different tasks,
that it is important that the customers have developed some can have some overlap. Organization C recommends that there
forensic readiness and incident management planning describ- should be some hierarchy involved when multiple providers
ing IRT roles and responsibilities. are engaged in the same incident, to make sure that somebody
is in charge and perhaps solve overlapping tasks. Organization
4) Reaching global support when system breaches involve
E describes that the customer should be the one dictating how
global companies.: Some companies might have complex
the investigation would be done and defining the separation of
systems either in their internal infrastructure or due to the
duties to be handled by the companies that are brought in.
fusion with other companies. When there is a breach in global
11) Collecting logs from systems and infrastructure.:
companies or in companies with complex systems, such as
Customers might not be logging what is happening in their
cloud services, it might demand to get the log files involved
infrastructure. The use of logs is something that does not
located in different countries. Organization A recommends not
necessarily require many resources, but it provides great help
looking at the whole company, but first finding the breach and
when having an incident. Organization D advises to collect
then working the way through it and through the systems. If
sufficient logs and data in order to facilitate and improve the
there are complex systems involved in the breach, only then
customer’s incident response process. This will allow verifying
global resources might be required.
the information of an incident and would significantly speed
5) Combine the strategic information and the intelligence.: the provider’s response enabling some response functions to
Not all vendors have access to the same multiple sources be performed remotely.
of intelligence or the knowledge on what to do with it. 12) Remote response enabled by agents.: Customer’s IT
Organization A describes that the quality of the input that departments might be reluctant to the use of agents because
you have access to as a vendor is a big differentiator, but for every incremental bit of complexity on an endpoint there is
then only by combining it with strategic information either potentially a large percentage of customer service calls, help
from history or from experience, is when meaning can be desk calls, and an increase on the time of evaluating new
extracted. Organization E advises that consuming intelligence software or operating system releases. Organization D and E
will provide with detection of the right kind of anomalies and recommend working with customers to help convincing their
indicators of compromise to stop targeted attacks. ultimate decision maker as to why the benefit of running the
6) Implementing massive security services that will work agent at the endpoint is greater than the cost.
without false positives.: Many customers want to get security 13) Lack of skilled personnel.: Shortage of people with
services alerting only about the real issues and not being capabilities for incident response activities. It is difficult to
alerted by stuff that is not relevant. Organization A describes hire as many people as is needed. Organization D advises
that it depends on the quality of the services but this would to hire more junior talent to develop their skills providing
achieved once a broader integration of IT, network and security them with formal training and in-depth hands-on experience.
systems occurs. Organization E advises to create bonds with universities and
7) Keeping the customers.: Customers might switch research groups to find dedicated people and train them.
providers due to not getting the agreed service or because the 14) Incident response roles are not clearly defined.: In-
service is or becomes too expensive. Organization A describes cident response roles are not clearly defined in the industry,
that in order to keep a customer it is important to build a when hiring incident response experts there is a wide variation
trusted relationship between the provider and the customer. of the capabilities, level of experience and expertise that is
needed. Organization D recommends defining internally what at the provider’s websites are unclear and most of the times
these roles actually are for the company’s needs. It is important confusing. Mapping those services to either the incident
to understand, when hiring new personnel, what they really management model, the Observe-Orient-Decide-Act (OODA)
have experience in and how that is related to what it is needed decision-making life-cycle phases, or the kill chain framework
at any particular point. phases will enable better understanding of what the customers
are lacking to increase the effectiveness of their organizational
C. Post-Operation cyber-defense capabilities.
1) Understanding the customer needs and expectations Knowledge transition of customer services from one
when switching providers.: Not understanding the new cus- provider to another requires proper documentation. This docu-
tomer’s expectations and its infrastructure could make the mentation is not effectively done, according to some of the in-
transition challenging for the provider receiving the new terviewees, and in some cases there is knowledge that doesn’t
costumer and deteriorate the relationship from the beginning. reach the new provider. Therefore exchange formats between
Organization A emphasizes the importance of getting familiar providers to transfer the customer services knowledge could
with the infrastructure both at the customer and previous help to guarantee the customers that their data will be properly
provider’s facilities. It is important to understand what the handled during and after the transition. A public file format for
critical assets are, what does the customer wants to protect exchange of customer services knowledge should be developed
and where the previous provider failed. The more the provider to automate as much of the knowledge transition process
knows about the customer then the better it would be in shape as possible. It would make cross-organizational coordination
to provide protection and build a trusted relationship between more efficient and cost effective.
the parties. Organization C describes that the provider needs to
understand the new customer’s challenges in order to identify R EFERENCES
the services that can be offered in that category and propose [1] P. Cichonski, T. Millar, T. Grance, and K. Scarfone, “Computer security
incident handling guide,” NIST Special Publication, vol. 800, p. 61,
something to address them based on their prior experience. 2012.
2) Knowledge transition of customer services from one [2] “ISO/IEC 27035:2011 Information technology - Security techniques -
provider to another when a customer changes provider.: Information security incident management,” International Organization
for Standardization (ISO), Geneva, CH, Standard, Sep. 2011.
Providers might be reluctant to pass knowledge that took many [3] M. Maj, R. Reijers, and D. Stikvoort, “Good practice guide for incident
years to get. Some of this knowledge might not be documented management,” 2010.
and does not reach the new provider. Organization B describes [4] “British Standards Institution. BIP 0107:2008 foundations of IT service
management based on Itil V3,” British Standards Institution (BSI), UK,
that providers might transition the problem knowledge that Standard, 2007.
they are obliged to but not the rest. Having a proper docu- [5] F. Siepmann, Managing risk and security in outsourcing IT services:
mentation and a continuous revision of it during the meetings Onshore, offshore and the cloud. CRC Press, 2013.
[6] J. Sherwood, “Managing security for outsourcing contracts,” Computers
with the customer might help to keep everything documented & Security, vol. 16, no. 7, pp. 603–609, 1997.
so that there won’t be any gaps when a provider transition [7] I. A. Tøndel, M. B. Line, and M. G. Jaatun, “Information security
will occur. Organization D highlights that the new provider incident management: Current practice as reported in the literature,”
Computers & Security, vol. 45, pp. 42–57, 2014.
should be aware that the previous provider may not have much [8] J. Allen, D. Gabbard, C. May, E. Hayes, and C. Sledge, “Outsourcing
incentive to participate on the process since they are losing a managed security services,” DTIC Document, Tech. Rep., 2003.
contract. [9] A. Reyes, “Incident Management in Outsourcing,” NTNU,
Project Report (Minor Thesis), 12 2014. [Online]. Available:
http://sislab.no/projects/outIR/outIR.html
VI. C ONCLUSION [10] “ISO/IEC 27001:2013 Information technology - Security techniques -
This paper has described interviews with five large managed Information security management systems - Requirements Preview,”
International Organization for Standardization (ISO), Geneva, CH, Stan-
security service providers (MSSPs) in the global market. dard, Nov. 2013.
Outsourcing incident management security services is a [11] “ISO/IEC 27002:2013 Information technology - Security techniques
viable option to get security competence for responding to - Code of practice for information security controls,” International
Organization for Standardization (ISO), Geneva, CH, Standard, Oct.
today’s threats. Outsourcing incident management services 2013.
seems to be a good option for small and medium size organiza- [12] W. Brotby, J. Bayuk, and C. Coleman, “Information security governance:
tions that don’t require tailored services. These organizations guidance for boards of directors and executive management,” 2006.
[13] G. Killcrece, K. Kossakowski, R. Ruefle, and M. Zajicek, “Incident
can reap affordable comprehensive security without investing management,” Build Security In, 2005.
in new infrastructure or being burdened by deployment and [14] C. Alberts, A. Dorofee, G. Killcrece, R. Ruefle, and M. Zajicek, “Defin-
management costs. Large organizations are benefiting by spe- ing incident management processes for csirts: A work in progress,” DTIC
Document, Tech. Rep., 2004.
cialized services or by having the chance to focus on tasks that [15] E. Ferrara and N. Hayes, “The forrester wave: Emerging managed
demand specialized skills instead of repeatable tasks. Tailored security service providers, q1, 2013,” Forrester Research, January, 2013.
solutions are not easily achieved by outsourced services. It is a
complex process that requires both internal and external staff
to accomplish.
All organizations can evaluate and assess what MSSPs offer
according to their needs. However, the service’s descriptions