Abstract:
Organizations outsource their IT security to qualified security service providers and it is
commonly referred as managed security services (MSS). In contrast to the in-house approach
in which organizations use their own resources to fulfil information security requirements,
outsourcing of security provides many benefits as well as some risks to organizations. This
research discusses the present standing of the MSS industry in Sri Lanka, in terms of several
dimensions such as available services, MSS adoption, organizational perception and issues
associated with the use of MSS. Furthermore, key drivers and inhibitors which affect the use
of MSS in Sri Lankan organizations are also identified.
The results reveal that all of the MSS service categories are available in Sri Lanka, though
the number of vendors offering MSS is somewhat limited. In terms of service offerings,
Managed Firewall and Managed Policy Compliance services are the highly offered services
while Security Consultancy services being the least offered service. On the other hand,
Managed Email Content Filtering and Managed Firewall/VPN services are the mostly used
services. Moreover, it can be seen that MSS is used by Sri Lankan organizations in general.
The research has also identified that limited vendors offering services, unfulfilled MSS
requirements and negative perception on MSS are key issues prevalent in the industry. In
addition to the above findings, lack of security skills and perceived security enhancement by
MSS are the key factors which promote the use of MSS while trust and hidden cost related
issues are acting as key inhibitors for the use of MSS.
The entry of new vendors into the MSS industry, capitalizing on identified key drivers,
strategies to deal with key inhibitors, proper identification of organizational requirements
and effective marketing strategies to overcome the negative perception on MSS are
recommended for MSSPs in order to develop the industry further. On the other hand,
ensuring required level of security for information resources and practicing accepted risk
mitigating approaches against the risk of trust and hidden cost related aspects are highly
recommended for organizations. Moreover, in-depth inspection of available service offerings
for a better selection of vendor is also recommended for organizations.