Good experts are rare, but there is an abundance of threats. Contrasts such as these characterize an era of IT security in which more and more IT managers and CISOs are considering whether they should transfer some or all of their IT security functions to a managed security service provider. Their own resources play just as much a role as tactical and strategic arguments. Accordingly, an MSSP appears to be either a nice-to-have or the only sensible option.
The decision in favor of a Managed Security Service Provider (MSSP) requires good arguments and tangible benefits. These can be found primarily in these three areas: Expanded capabilities (“skills”), expanded use of security budgets and improved security outcomes. Of course, not every MSSP is right for an organization, just as bringing in an MSSP is not the answer to every problem. However, when differentiated, the areas mentioned provide a wealth of arguments of varying strength in favor of the MSSP model. The differentiation includes variables such as organization size, industry, location, relative security budget, brand profile, specific security gaps or the overarching IT philosophy.
Carefully weigh up influencing factors
In practice, arguments have emerged that generally speak for the use of MSSPs: In the area of skills enhancement, MSSPs allow organizations to focus on functions that add more value and are of strategic importance to the business. In terms of budget, MSSPs give organizations access to multiple experts, but they only pay for what they actually need. When it comes to the security argument, surveys, reports and analyst reports point out that many IT security teams in organizations are struggling with missed opportunities and full-blown deficiencies. There are many concrete examples of individual aspects where MSSPs bring tangible benefits:
Producing reliable safety
In terms of security outcomes, for example, MSSPs help to cover more threat vectors. They also ensure that systems are more up-to-date. In addition, MSSPs are likely to be the first to discover new or evolving threats. As experts, they are predestined to always use the latest practices. Typically, MSSPs are faster than in-house management when it comes to quickly increasing capacity, staff and systems. They are also generally faster at developing new skills to combat new threats. They are also much more familiar with security tools.
Another aspect that is often underestimated is shelfware. MSSPs help to reduce shelfware, i.e. unused software, because they are only paid for implemented systems. According to a study by Osterman Research*, up to 60% of security software remains unused. This happens because IT organizations often lack the time and expertise to adequately implement security software. MSSPs provide the necessary time and resources to implement the security they manage themselves.
Getting the most out of the budget
When it comes to security budgets, the maxim is to achieve more with less. However, IT teams are often faced with dilemmas, such as a lack of or severely limited Security Operation Centers (SOC), insufficient staffing levels in the face of an increasing range of threats and a lack of time, as non-experts take longer to complete security tasks. An inadequate recruitment budget can also be a hindrance, as security experts are in high demand and often have to change jobs or be replaced. On the other hand, it may also be that the security tasks themselves do not justify a full-time equivalent.
In many cases, MSSPs can provide a remedy here. An MSSP provides a 24/7 SOC, i.e. the customer does not have to establish and staff their own. In addition, when working with MSSPs, recruitment or training costs are either completely eliminated or greatly reduced. Furthermore, an MSSP can minimize or completely eliminate major acquisition costs for best-of-breed systems or additional equipment. They often provide equipment on a subscription basis, and the MSSP model often includes the option to manage existing systems and add new functionality. Some organizations consider requests for staff augmentation more critical than those for outsourcing. Here, managed services allow more flexibility when it comes to adding or removing people without bureaucratic or political obstacles.
Skills gaps increase the risk
A broad, important area is the question of skills and how to maintain or expand them. It is well known that it is difficult to find, train and retain qualified IT security specialists across all industries. At the same time, there is a broad consensus that the number of attackers, attack techniques and attack surfaces are increasing to such an extent that it is difficult to keep up in terms of IT security budgets, team size and countermeasures. There is a noticeable shortage of specialists. Even Fortune 500 companies with notoriously large budgets, strong recruitment power and attractive fringe benefits are struggling to fill their IT security positions. It is even more difficult for medium-sized companies with smaller budgets.
This situation not only creates a skills gap, but also has a practical impact on security: understaffed IT security teams postpone security tasks, and event streams and alerts that should be continuously monitored are overlooked. Some of the biggest security breaches in recent years (e.g. retail chain payment cards) were due to the fact that although sufficient detection systems were in place and producing alerts, these were not correctly interpreted and tracked because there were not enough security specialists on the team. Not exactly reassuring are studies that show that a typical leak is only discovered after 188 days on average, and in 81% of cases by outsiders such as customers, security authorities or even the media.
To reduce risk in a time of talent shortages, IT security teams need to think outside the box. Increased training can help, but additional resources are needed. MSSPs and their specialists provide IT teams with the necessary support. The help can be broad or very focused, i.e. providing a smaller company with the full depth of expertise, for example, while a larger company may only require selective support. Generally speaking, MSSPs are able to manage a wide range of security devices, adapt and update policies and constantly look after and monitor systems for optimum protection.
Maximum benefit from MSSPs
There are classic areas that lend themselves to MSSP use. These include network security, application security, web and email security as well as security information and event management (SIEM). Excellent results can be achieved in these areas, as they depend more on a deep understanding of powerful security solutions than on in-depth knowledge of an organization’s internal processes. On the other hand, it is more difficult to take on data loss prevention functions without in-depth knowledge of employee behavior that is considered normal and acceptable (see blog post on behavioral analysis).
With regard to the first SOC level with 24/7 coverage, smaller and medium-sized companies can potentially benefit more and only pay for the expert time they actually need. Thanks to dashboards and command consoles, tasks can be flexibly assigned to experts. This allows customers to decide for themselves how much they transfer to an MSSP.
It very much depends on the organization in which area an MSSP brings the most benefits. It’s obvious that MSSPs improve security outcomes. But thanks to the faster deployment of security, MSSP engagement can also give a boost to IT projects that impact the organization’s revenue. For example, certain applications, cloud services and website enhancements that would otherwise face major delays due to unresolved security issues can go live sooner, contributing to strategic growth.
IT environments are becoming more complex, the number of attackers and attack techniques is growing and the attack surfaces are expanding. It is becoming increasingly difficult for IT teams to keep up, whether from a budget perspective, from a manpower perspective or in terms of new countermeasures. This scenario suggests that the pros and cons of MSSPs should be carefully considered.
* Source: “Is Your Security Software Sitting Unused on the Shelf?”; CIO Magazine, Feb. 26. 2015