Organizations are turning to managed security service providers for help in boosting data security and regulatory compliance.
Organizations continue to make significant investments in cybersecurity, but cybersecurity incidents continue to make headlines. Last year, Marriott/Starwood hotels reported a massive breach exposing more than 337 million records containing customer addresses, phone numbers and emails. In 2017, credit reporting agency Equifax reported that it had suffered a data breach that exposed the sensitive information of as many as 143 million consumers. The WannaCry ransomware worm also hit thousands of organizations in 2017 in a coordinated global cyberattack.
Many of these incidents could have been prevented by the timely application of security patches and updates. According to a recent alert from the U.S. Computer Emergency Readiness team, about 85 percent of successful security breaches — including the Equifax hack — involve systems that have not been patched.
Many organizations are simply unable to keep up with security updates and other maintenance tasks. This has led to increasing adoption of managed security services, in which organizations turn over the administration of security systems and controls to a team of third-party experts.
Outsourcing to a managed security service provider (MSSP) can improve an organization’s security posture and facilitate regulatory compliance while reducing the burden on in-house IT teams. Partnering with an MSSP can be particularly beneficial for small to midsize businesses (SMBs) that lack the manpower and expertise to monitor their systems and networks and manage security tools.
"Rising awareness among CEOs and boards of directors about the business impact of security incidents and an evolving regulatory landscape have led to continued spending on security products and services," said Sid Deshpande, principal research analyst at Gartner. "However, improving security is not just about spending on new technologies. As seen in the recent spate of global security incidents, doing the basics right has never been more important.”
Closing the Skills Gap
Maintaining a strong security posture is increasingly challenging given the widening cybersecurity skills gap. In a recent survey by the Information Systems Security Association (ISSA) and Enterprise Strategy Group (ESG), 70 percent of cybersecurity professionals said that the shortage of qualified cybersecurity professionals is getting worse and having a negative impact on their organizations.
MSSPs can help close this gap by leveraging economies of scale. An MSSP’s team of experts perform a common set of security tasks for multiple customers and utilize remote monitoring and management tools to increase efficiency.
Many managed services providers (MSPs) offer basic security services as part of their offerings. This may include managed firewalls, antimalware and spam blocking, as well as the application of patches and security updates to servers and desktop systems. Remote monitoring and management allows MSPs to detect security breaches and take action to mitigate the threat.
True MSSPs typically provide a broader suite of services. In addition to the basics, the MSSP may offer intrusion detection and prevention, content filtering, email security, encryption and data loss prevention, secure remote access, and mobile device management. Outsourcing to an MSSPfreesorganizations from making investments in security appliances, software and monitoring, and maintaining in-house security skill sets.
But the real value lies in the expertise the MSSP brings to the table. The best MSSPs employ security specialists who are certified in a broad range of security products from a variety of vendors. This gives themthe freedom to select best-of-breed solutions and offer a turnkey service that mitigates common security threats.
“Customers want solutions that solve problems, rather than mere alerts to a potential problem,” said Frost & Sullivan Digital Transformation Research Director Adrian Drozd.
The Compliance Conundrum
MSSPs will perform a thorough review of the IT environment and run security scans to gain a baseline of the organization’s security posture. They will also sit down with stakeholders throughout the organization to understand the threats that pose the greatest risk to the business. Only then can they develop a cybersecurity strategy that precisely meets the organization’s needs.
Because security is not a “set and forget” proposition, MSSPs handle modifications and upgrades of critical applications and network devices, and perform regular security reviews. MSSPs canalso generate detailed reports on how the security infrastructure is performing, which can improve compliance with regulations such as Sarbanes-Oxley, HIPAA and the Payment Card Industry Data Security Standard.In fact, the increasing need for compliance with regulatory requirements is helping to drive the adoption of managed security services.
However, confusion over regulatory policies remains an issue in many industries due to variations in liability for security breaches. Some organizations believe they won’t be targeted by a cyberattack, and that if one does occur, any costs and regulatory penalties will be limited.
These organizations continue to be reluctant to outsource to MSSPs due to budget constraints and doubts about ROI benefits. MSSPs should educate these organizations about the tangible benefits of outsourcing cybersecurity, as well as the damages that a serious data breach can entail.
Security products continue to improve in capability, yet there is no evidence of a decline in the number and variety of network attacks. At the same time, an increasing number of regulatory mandates are forcing organizations of all sizes to boost data security and privacy.
Outsourcing to an MSSP allows organizations to improve security, comply with regulations, reduce costs and concentrate on core business processes. As security challenges continue to grow unabated, managed security services become increasingly attractive.