Who can you trust to protect your corporation's information, assets, global capabilities, and thus its future, from online attacks and digital destruction?

If your firm doesn't have a team of qualified security specialists, you can turn to a managed security provider (MSP), also known as a security outsourcer, security application service supplier, managed security services provider, or hosting services manager. MSPs sell a range of security services from managed firewall services to total security solutions, but these services are provided from the outside in, in contrast to the normal inside-out model.

Going with an MSP could solve some of your cyber-security nightmares: experienced and well-trained security professionals are hard to find and expensive to retain; security software is expensive and often protects only specific applications; and security systems must be monitored constantly. And if that isn't enough, security techniques and technologies are changing all the time.

Do you need an MSP?

To decide whether you need an MSP, assess your firm's current state of security protection.

What online threats does your firm face and what internal resources do you have available to manage protection? Evaluate how well threats have been dealt with in the past. Does your internal security management staff work on a reactive basis?

If you can't get your hands on a monthly security status report that contains breach statistics, types of security patches applied, software updates installed, and new software installations completed, then outsourcing could be a good option.

Once you've decided to outsource your security management, you can begin assessing MSPs and their specific offerings. Develop a quick list of candidates by searching for "managed security services" on Google. Drill down to find out what services each vendor offers, but watch out -- many MSPs are so new that the services they describe on their Web sites are not yet available.

Do you want such a start-up, or is a subsidiary of a brand-name company a better bet? In general, the former have fewer bureaucratic limits to innovation, while the latter often must drag "mother ship" policies into each new initiative.

Assess your MSP candidates

Finally, roll up your sleeves and realistically assess your MSP candidates. Web sites are good places to start, but beware of obsolete information, marketing spin, and vague descriptions.

You really need to get each vendor on the phone and ask questions like:

• What technologies do you offer? When were the technologies developed?
• When was each security service released, and how many subscribers currently use each service?
• When, why, and how will your security response team contact my firm in the event of an attack?
• How many security operations centers (SOCs) are currently in operation? Where are they located, and are more planned?
• If an SOC goes down, how will my company's security be affected?
• Are your security services standalone, or will they seamlessly integrate for a complete security picture of my firm?
• What security vendors do you partner with to support the range of management services you offer?
• Will your security experts support my existing applications, or does my firm have to conform to your security infrastructure?
• Can we review a services agreement? Can we modify the services agreement to meet our requirements?
• What security measures have you taken within your SOCs and throughout your organisation?
• When did your company open its doors for business? How many security analysts and other staff do you employ? Do you plan to increase staff in the next 12 months?
• Can we call one or two subscribers to discuss their experience with your services?

The way the companies answer your questions can be very telling. If answers are not forthright or are inadequate, move on to the next candidate on your list.

If you're not happy with the answers you get from the companies you contact, don't rush into anything. MSPs are on the bleeding edge of the security market, and you may not be able to find one that's the right match for your organisation today.

That situation may change. The managed security provider market is growing by leaps and bounds. International Data Corporation (IDC) projects the worldwide market for information security services to grow to US$16.5 billion by 2004 from $4.8 billion in 1998.

Until you're comfortable, your company's safety is too important to hand over to any third party.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.