Managed security services industry in Sri Lanka

Abstract

Organizations outsource their IT security to qualified security service providers and it is commonly referred as managed security services (MSS). In contrast to the in-house approach in which organizations use their own resources to fulfil information security requirements, outsourcing of security provides many benefits as well as some risks to organizations. This research discusses the present standing of the MSS industry in Sri Lanka, in terms of several dimensions such as available services, MSS adoption, organizational perception and issues associated with the use of MSS. Furthermore, key drivers and inhibitors which affect the use of MSS in Sri Lankan organizations are also identified. The results reveal that all of the MSS service categories are available in Sri Lanka, though the number of vendors offering MSS is somewhat limited. In terms of service offerings, Managed Firewall and Managed Policy Compliance services are the highly offered services while Security Consultancy services being the least offered service. On the other hand, Managed Email Content Filtering and Managed Firewall/VPN services are the mostly used services. Moreover, it can be seen that MSS is used by Sri Lankan organizations in general. The research has also identified that limited vendors offering services, unfulfilled MSS requirements and negative perception on MSS are key issues prevalent in the industry. In addition to the above findings, lack of security skills and perceived security enhancement by MSS are the key factors which promote the use of MSS while trust and hidden cost related issues are acting as key inhibitors for the use of MSS. The entry of new vendors into the MSS industry, capitalizing on identified key drivers, strategies to deal with key inhibitors, proper identification of organizational requirements and effective marketing strategies to overcome the negative perception on MSS are recommended for MSSPs in order to develop the industry further. On the other hand, ensuring required level of security for information resources and practicing accepted risk mitigating approaches against the risk of trust and hidden cost related aspects are highly recommended for organizations. Moreover, in-depth inspection of available service offerings for a better selection of vendor is also recommended for organizations.