How small companies can find the right inexpensive cybersecurity solutions.
The complexity and requirements of a modern cybersecurity program have made it difficult for many businesses to implement and maintain sufficient cybersecurity capabilities. Executives have become overwhelmed with the threat of a breach, compliance, exploding security budgets and frankly, not understanding what information security really is and how it is best managed. A solution that organizations are increasingly touting is partnering with a managed security service provider (MSSP) to empower their security organizations with the people, processes and technology to secure their critical assets and data.
In the past year, cyber attackers compromised over 1 billion accounts and records. According to Gartner, cybercrime costs will reach $2 trillion USD by 2019 and cybersecurity spending will reach $1 trillion USD by next year. This year has proven to be the tipping point for businesses and cybercrime. Despite massive breaches involving countless organizations over the past several years including attacks on blue chip companies like Target and Home Depot, government entities like OPM and the CIA, and a who’s who of other organizations across industries and geographies, the real costs to the organizations themselves didn’t appear to be that significant… until now. CEOs have lost their jobs and been interrogated by the U.S. Senate, stock prices have plummeted, customers have abandoned brands, and businesses have closed their doors.
While we are not going to highlight the much debated “60% of all small businesses are out of business 6 months after a breach” that was debated in Congress, we are going to point to a Ponemon Institute survey that states 55% of small and mid-sized businesses reported experiencing a cyber-attack within the past 12 months, but only 14% considered their security defenses to be highly effective. Another recent survey by Netwrix found that only 25% of small businesses feel that they are not well prepared for a cyber-attack, citing lack of budget (57%), insufficient staff training (37%), and lack of time (54%) as obstacles.
In a recent survey by 451 research of 301 U.S. IT security professionals, 87% reported planning to migrate to security-as-a-service (SaaS) model within the next year. A separate survey of in-house IT security professionals from February 2017 reported that 86% of IT security professionals either already partner or plan to partner with an MSSP to handle many of the Security Operations Center (SOC) responsibilities to monitor, analyze and respond to security incidents. We have gathered 5 critical reasons why MSSPs have become an increasingly popular solution for businesses looking to secure their data environments.
In many organizations security tools and technology can generate up to 2.7 billion actions from its security tools per month, including logins, uploads, and others. A tiny fraction of these are actual threats – less than one in one million. In a security research study, more than 31% of a research respondents admitted ignoring alerts altogether because they think so many alerts are false positives, and more than 40% feel that the alerts they receive lack actionable intelligence.
Some organizations have up to 20 different cybersecurity solutions and nearly half use more than 6. Most of these solutions have integration issues creating data silos that are inefficient, ineffective and almost always generate additional security threats. MSSPs typically have integrated technical solutions that leverage best-of-breed technology that have been integrated over time by specialists for companies of all shapes and sizes. More importantly, MSSPs have scale and are able to spread the fixed cost of their technology investment across a broad customer base, hence passing the savings onto the customer.
MSSPs maintain leading-edge, advanced security technologies that have often been tested across many organizations in diverse geographies handling a variety of threats. Further, the services offered by MSSPs continue to evolve, and now include endpoint protection, vulnerability scans, web application vulnerability monitoring, firewall management, logging and monitoring and configuration management, just to name a few. New offerings continue to come to market, like Security Operations Center-as-a-Service, Deception, or Cyber Threat Hunt Operations, all of which have increased in deployments in the past year. Many MSSPs are incorporating advanced technologies or capabilities, like machine learning, artificial intelligence and dark web cyber threat intelligence. These capabilities are a major driver for partnering with an MSSP. In one recent survey of 400 SMEs in the US and the UK, 24% reported wanting to outsource security to improve performance. In another global survey of 1,350 decision makers, those planning to use an MSSP (23%) reported that lack of internal skills (31%) and a desire for access to better technology (27%) were the drivers for the migration.
Even for organizations with the budgets to buy the latest and greatest technologies, the most difficult challenge is building a layered or defense-in-depth solution that effectively protects the organization. Strong defensive programs build security countermeasures and integration into their perimeter, endpoints, internal network, and data itself. These multiple layers of tools are often difficult to synchronize and generate their own logs and alerts and data, which then becomes very difficult to aggregate and analyze. MSSPs handle this normalization process seamlessly and can solve the challenge of aggregation, correlation, and alert tuning.
The bottom line is that specialists that provide managed security support services are more effective at protecting organizations than in-house security teams in the vast majority of cases. In addition, quality MSSPs offer service level agreements (SLAs) which essentially provide their clients guidelines concerning incident response times and other guarantees in the event of any security incidents. These commitments alone have driven many organizations to seek the protection of an MSSP and shift the risk away from the organization to a specialized third party.
Modern cybersecurity programs are costly to build and maintain. The tools and capabilities mentioned above often require dedicated hardware or appliances to run, and frequently come with an annual licensing cost. In addition, staff salaries and the training required to use the new tools add to the cost. MSSPs allow businesses to replace large, frequent capital expenditures associated with investing in new cybersecurity tools and capabilities with predictable, ongoing operational costs.
Thus, for a fraction of the cost, businesses can leverage an MSSP to provide 24×7 coverage. When factoring in the total costs of security – especially hiring or training cybersecurity staff to maintain the latest tools (cybersecurity salaries are rising at almost 7% and frequently start at $100,000+) – MSSPs can provide an immediate return on investment (ROI) for businesses deciding between building a security capability internally and outsourcing to an MSSP. One recent study by CompTIA reported that 46% of managed IT service users have cut their annual IT costs by 25% or more.
Staffing issues are a particular area of savings. In a field expected to have more than 1.5 million unfilled positions by 2020, this alone can be a challenge. MSSPs are able to provide the staffing and diverse security skillsets by distributing the cost to a broad base of clients, providing a shared service so that each customer does not need to bear the cost alone. In a significant Forrester research report, migration to a network security MSSP provided an ROI of 152%, with total benefits of $1.3 million from cost savings over 3 years. Further, in the case of smaller organizations, MSSPs provide companies with access to expertise and technology that would be financially impossible to build in-house.
The security world has been wondering when organizations will take protecting their customers, employees and data seriously. Executives have historically pushed this issue down to their CISO, IT Security Managers or other employees, all while pleading ignorant when a breach occurred under their watch. As was suggested earlier, this year has proven to be a tipping point and executives are being asked by their boards and stakeholders to prove that the organization is protected.
The issue has become so significant in many organizations that the security diversion has shifted the business leaders’ focus from executing the company mission of making money and serving its customers to creating a viable security organization. As the best experts in the security business say, “Amateurs mitigate risk, professionals manage risk.” What that means is that there will always be risk and it is not possible to eliminate every risk, however risk needs to be managed in a cost-effective way that is aligned with the business objectives.
Cybersecurity needs to support the mission of the organization, mitigate, transfer, or accept risks, and communicate risks to leadership. Too often, cybersecurity professionals get wrapped up in the latest and greatest tools, implementing security for the sake of security and disconnecting from real business needs. The requirement to balance security needs with business objectives has long challenged IT organizations large and small. As the complexity of attacks continues to increase, the requirements for defensive capabilities has challenged and strained organizations.
Capabilities like big data analytics, dark web monitoring, or advanced threat anomaly detection can be time-sinks for organizations – distracting from core missions and top risks. Partnering with an MSSP is one way businesses reduce the requirements associated with maintaining a cybersecurity program, allowing their executives to change focus from the fear of a breach back squarely onto core business needs.
Ultimately security is not a technical issue; it is a business issue and must be managed so that the business and its executives can maintain a laser focus on the mission of the organization. The organization exists to serve customers, protect and engage its employees and deliver value to its shareholders.
One critical item that business leaders have learned over the past couple of years is that information security is more than technology. As we’ve heard repeatedly, it is the people, processes and technology and unfortunately, the process piece seems to get lost on so many business leaders. When implementing a security program, businesses need to align the program to the business needs, understand the risk tolerance of the business, put ISO, NIST, or CSC controls in place, set goals concerning how their organization should manage the controls and, ultimately, how to improve their overall security posture without overspending.
Many businesses are challenged by industry-specific challenges. Retail businesses often need to meet the Payment Card Industry Data Security Standard (PCI DSS), a complex set of security controls that includes access management, endpoint protection, and secure development. Healthcare providers must meet the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and Security Rule. Publicly traded companies must meet Sarbanes-Oxley (SOX) requirements.
These are only a few of the industry-specific compliance challenges. Each industry faces different risks, challenges, and threats. The healthcare industry faces insider threat issues challenging confidentiality of patient data. Financial services businesses must secure sensitive financial information and deal with a myriad of regulatory requirements. Manufacturing, government, and transportation industries round out the 5 most cyber-attacked industries, and each has a very different set of challenges to manage, including ICS and SCADA security problems.
Quality MSSPs provide assistance to businesses to not only meet compliance needs, but also to tailor their cybersecurity program to the unique needs and risks specific to each industry. Quality MSSPs have consultants whose expertise lies in implementing controls, managing risk, and developing customized IT security strategies to meet business goals.
Building an information security program, putting controls in place, measuring those controls against a standard, managing vulnerabilities and conducting penetration tests all require an assortment of technical skills typically possessed by a variety of people with hard-earned certifications. MSSPs can build an information security program by plugging in specialists where the organization’s needs are greatest.
By tailoring cybersecurity services to the top risks and compliance needs applicable to each business, MSSPs are able to maximize return on investment while addressing the most pressing risks and needs.
A critical advantage of an MSSP is rooted in the technology they leverage to protect their clients. As we suggested earlier, while the technology that fills the halls of RSA and Blackhat is leading edge, none of it provides a silver bullet, and even the best-of-breed layered security solutions have been compromised.
MSSPs will not only have operated and tested most of this technology, but they also either build solutions organically from what they have tested or integrated into their overall solution. The benefit to the organizations that they serve is that the MSSPs use technology that matches the needs of their clients and the skillset of their workforce. Further, there are no bells and whistles to turn off and on or a need to hire experts to configure and manage the technology.
A premium MSSP goes beyond implementing their own technology to managing and integrating the technology that the client currently uses. Collecting logs and data from a variety of diverse sources and normalizing that data so that it can be analyzed and used to proactively hunt threats and eliminate vulnerabilities is critical.
Nearly every organization has implemented a layered security or defense-in-depth model, however, best-of-breed technologies are not geared to communicate with one another and every technology leaves gaps that must be addressed to have a bulletproof solution.
MSSPs offer cybersecurity technologies to help businesses mitigate cybersecurity risk. They do so around the globe and for businesses in many different industries, of different sizes. This experience has given MSSPs the advantage of building defense solutions that are able to be adapted to a variety of customers and environments. Further, because MSSPs deploy services and solution and are not in the business of selling boxes and technology, they can use technology to assess controls, deliver gap analysis reports, measure system and organizational security posture, and red flag the critical vulnerabilities that are so often the opening sophisticated cyber-criminals use to attack even the most secure organizations.
Superior protection, cost savings, business focus, security experts and leading-edge technology are the 5 benefits organizations should expect when they look outside of their organization for information security support. Managed security service providers have the responsibility of providing their customers assurance that their organization is protected through integrated, tested and proven technology accompanied with well-defined service level agreements. Cost savings should be delivered by eliminating upfront costs and providing predictable periodic costs.
Executives should have the flexibility to turn to experts to empower their own security teams so that the business and its customers can remain the focus of the organization. In addition, quality managed security service providers should provide a tailor-made solution from the information security framework to the controls to periodic testing and change management, all within a single vision delivered by a single team of experts. Finally, with the number of organizational assets, diverse logs, and vulnerabilities, the technology needs to be that single pane of glass that organizations can use to monitor the security posture of the organization and manage the system risk seamlessly.
The cybersecurity industry is growing for a very clear reason; there are more attacks each year and each breach appears to be more damaging than the last. We are at a tipping point because organizations are experiencing fallout from these breaches that is dramatically worse than previous breaches. That said, this tipping point presents an opportunity for organizations to look for solutions that are more effective and cost efficient than they have created organically. Perhaps the 5 benefits that have been outlined in this blog post will provide a guide for you to assess how to protect your business.