Changing business practices and advancements in technology have increased cybersecurity risk exposure for business; that much is a given. But equally, increased connectivity and mobility, evermore reliance on the cloud and a culture of digital transformation have made managed security services a business no-brainer.
Security professionals are an expensive essential
Not every business can afford to establish and run a fully staffed, state-of-the-art security operations centre (SOC). Yet no business can afford to be without the protection that such a sophisticated cybersecurity solution provides.
The benefits of outsourcing cybersecurity to a managed security services provider (MSSP) are best reflected by the mirror of risk management in a rapidly evolving business environment.
Imagine a typical day in a typical office: email, expense reports, conference calls, purchase orders and so on. The cloud and mobility, “two small words that belie enormous complexity”, as Don Smith, senior director of cyber intelligence at managed services security provider Secureworks puts it, are extending the enterprise and putting many of these business processes in the hands of an external provider.
Just the rise of the smartphone as a business tool has created an “increasingly intangible, amorphous perimeter”, he says, before asking: “How do you secure yourself in a world where you don’t control everything, anything, absolutely?”
Let’s consider the biggest security challenges that are increasing risk exposure for the average business: the three Cs of cloud, cyber and compliance. Many organisations have moved to the cloud so quickly that their security hasn’t kept up. The increasing number of cyberattacks and data breaches reveals that criminal organisations are aware of this. Plus, there’s compliance.
“Just being compliant is no longer enough,” warns Kevin Brown, managing director of BT Security. ”Customers face increasingly stringent rules which differ between geographies, and seek support to understand their current exposure and help remedy issues.” The latter is becoming increasingly important even to smaller organisations, especially those with clients in a highly regulated industry and who need to be able to demonstrate their cybersecurity credentials to do business with them.
Solving the security team conundrum
You need to look beyond practices and technology when it comes to the primary factors that are impacting risk exposure, according to Charl van der Walt, chief security strategy officer at SecureData, who argues the important drivers are fundamental and systemic.
He cites criminal innovation, the levels of state-sponsored investment in computer hacking developments, growing influence of security regulations and decades of large-scale, accumulated supply-chain risk and technical debt. “Together these systemic factors create an environment of chaos and unpredictability, in which cyberattack, compromise and ultimately breach are inevitable,” says van der Walt. This is where the benefits of outsourcing cybersecurity come in.
Both smaller organisations with little or no current cybersecurity capability and larger enterprises are a good fit for a managed security services provider. The larger enterprise can address the challenges of scale and volume, helping their internal security teams “to be more efficient without the need to increase headcount or overwork employees”, according to Eoin Keary, co-founder and chief executive of edgescan.
For smaller organisations without a dedicated IT team, let alone a dedicated security team, there’s an obvious benefit in outsourcing cybersecurity. But even those in the middle ground, with an existing security team, will find it helpful as a “means of staying on top of the key emerging threats”, Simon Strutt, head of consulting and pre-sales at SysGroup, says “as this can be challenging when there are many other areas of strategic focus”.
Managed services deliver economic and efficiency benefit
So, what are the economic and efficiency benefits of a MSSP over having an in-house SOC? Outsourcing security to a MSSP enables organisations to benefit from the expertise, threat intelligence and capabilities of larger security firms dedicated to the task.
“Partnering with an MSSP should lead to a significant reduction in the time it takes to detect and mitigate threats,” BT’s Brown insists, “for example, where their MSSP is using big data techniques and visual analytics to automate security processes and increase the productivity of security teams.”
And, as Matt Gyde, chief executive at NTT Security, points out, this means in-house security teams can “focus on revenue-generation activities that are more aligned to the business”.
Accordingly, return on investment can be almost immediate. It’s a matter of economies of scale, with MSSPs being able to invest in tooling and threat intelligence capabilities that would otherwise be out of reach to all but the biggest enterprise.
“At scale, knowledge from multiple customers can help with both understanding and awareness of emerging threats,” Smith at Secureworks explains. If a managed security services provider sees a threat that is impacting a single customer, it will be investigated and all other customers will then get protection from it as well.
“If you choose to work with partners on things that are not core to your business, such as email or human resources systems, why wouldn’t you also work with a partner on something as specialised as security operations?” Smith asks.
The risk manager remains within your organisation
Which doesn’t mean you can outsource risk or responsibility. Your data remains your data, as does the legal and moral responsibility for protecting it.
“You need to retain the strategic thinking around security and have people in your business who understand how cybersecurity interacts with business risk,” Adrian Taylor, chief technology officer at ITC Secure warns. “You can then set your MSSP to work delivering against the standards you have defined and hold them to account.”
Partnering with an MSSP should lead to a significant reduction in the time it takes to detect and mitigate threats
In other words, if you have existing technical people doing the work of the managed services security provider, keep them and make their role more strategic. After all, you need to know your MSSP is doing the job correctly. “Remember that it’s your business, which only you can fully understand in context,” Taylor adds, “and even if you use an MSSP you will need people to do that.”
While a managed services security provider can deliver on the National Cyber Security Centre’s Cyber Security Essentials scheme at a reasonable cost, the relationship should be that of a trusted adviser to the business with the understanding of preparing a one, three or maybe five-year technology plan.
As Ian Thornton-Trump, chief information security officer at Cyjax, concludes: “Improving customer security through controls and a technological roadmap is truly the win-win cybersecurity scenario everyone is in need of.”