Forging a Sound Managed Security SLA

By CIOReview | Wednesday, July 27, 2016
552
952
190

Managed security services are an attractive choice for SMBs. They deliver security services ahead of the resources and the expertise of SMBs at a foreseeable cost. By outsourcing security, companies are not just devolving loads; they are placing their trust and the responsibility for the security of their network, data, and compliance obligations in the hands of unknown. Hence, some level of assurance that service providers will deliver on what has been promised, and if not, ways to protect the user’s interests has to be established. The SLA is the retort to the uncertainty of assurance and protection.

SLA will explicitly list the services that the provider has to provide, how they will be implemented, how they will respond to customer requests, queries, and problems, and compensation and remedies to unsound situations.

"It's a starting point to make sure services you are contracting for are what you really looking for," said Burton Group analyst Eric Maiwald. "Without a contract that's reasonably well thought out, you really don't know what level of service to expect and what to do when service doesn't live up to expectations."

Small-scale providers are pliable

Large companies have the financial brawn to coerce service providers to customize SLAs according to their necessities. SMBs have to reconcile with the providers services or find another vendor who has more to offer in its SLA. Managed service providers monetize based on economies of scale that lets them garner services that are repeatable for users so the provider can make the most without investing more on its investment and training.

However, small service providers tend to be more flexible. They want to take advantage of the personalized service that they can provide. Small service providers definitely have their own limitations but they redress on these issues by relying on their benevolence through responding quickly to the customers.

Performance and Penalties

Customers commonly fall prey to the alluring promises of continuous service uptime, quick responses to requests, and detected security issues. But the inventory of attractive facilities comes at a cost. Before you select a provider, match your requirements with the services being offered.  Always check if you need the extra services that require extra investment.

If you want good performance features quoted on the covenant, it clearly implies your desire to keep your website running 24/7. Now, a promise of 99.9 percent service uptime on the SLA sounds grand, but what if it drops by a half or one percent—this might cause the business to decline for a few days over the course of the year.

On the other side, if your business is more forgiving in terms of downtime and response time, you may not require such in-depth and rigorous performance promises and service. You can always opt for a smaller vendor who can offer cheaper prices and bespoke attention.    

Even when you place monetary penalties for failure of SLA responsibilities, like a particular amount for an hour of downtime, it might not be a big deal for the providers, as they will compensate for charges with tranquility–use penalties as a brush off and stay in the business. Large enterprises can yield penalties plus some discomforting mulct from the service provider, but SMBs can’t do the same, given that they might receive a few bucks that the provider will barely notice, but not a proper compensation for the impact on their business.

Exit from an Unfit SLA

Verify the contract to check the terms that defines your exit. If the contract does not contain a positive escape clause, then look for other providers because departing will be your only option in case of facing significant problems.

Before you exit from the contract, make sure you have a ‘Plan-B’– a business continuity strategy like another service provider on hand. If you don’t have any options, check how long you can sustain with in-house expertise and if you can afford to survive without external services.

Providers with Insurance

Insurance is a good substitute for penalties and exit. You can always look for a provider who takes the responsibility for your exposure and covers your risk through insurance, since risk and penalties collected are incomparable. The insurance can be required to cover the cost of notifying the customer, damage to brand reputation and future business along with the monetary penalties.

"A good service provider–and this will be documented clearly in their contract–will have professional liability insurance that will in part or whole absorb the liability," says Charles Weaver, co-founder and president of the MSP Alliance. "That's what a client should be looking for."

Cipher the contract

Before you sign a contract, make sure it makes fiscal sense. Compare your budget and the quoted price. Check if hiring additional staff and buying new equipment can be at par with the investment you make on the managed security service.

Managed security service is lately getting a lot of attention. But a contract for a managed security service should not be done ad lib. Even if you outsource the tasks related to your organizations security, always remember that you are still ultimately responsible for your organizations security and managed security services are simply tools that give a hand to reach your goals.