So you can't find enough cyber-security experts to join the team. Time to dial a managed security service provider?
The benefits of outsourcing your IT's infosec – and what to look for. Here's our gentle guide for you
Backgrounder Managed security services are – by revenue – the fastest expanding field of cyber security, according to IDC, which reckons they should grow at a compound annual growth rate of 14.2 per cent to 2022. Gartner says managed and subscription-based security services will account for half of all cyber-security spending by 2020.
Other than the proliferation of cyber security threats that companies routinely have to combat on a daily basis, there are two major drivers.
One is the continuing global shortage of cyber-security professionals that makes skilled staff difficult to find and expensive to hire. The number of respondents reporting problematic shortage of cyber security skills according to a survey conducted by ESG Group in 2018-2019 was 53 per cent, up from 51 per cent in 2017-2018, and 45 per cent in 2016-2017.
As we find it harder to employ security staff, so it becomes practical to outsource cyber-security to those who have managed to snag themselves some experts.
The second driver comes from the need to comply with more stringent data privacy legislation, notably the European Union General Data Protection Regulation (GDPR) that came into force in May 2018. Rather than go it alone, many have put their trust in managed security service providers (MSSPs), who they hope will have the knowledge and experience to help them avoid a costly data breach.
What’s on offer from MSSPs?
Thanks to the rising challenges and growth in cloud-hosting, managed security service providers have evolved to provide a broad range of tools over and above the provision and administration of firewall and intruder detection and prevention systems that defined managed security services (MSS) some years ago. MSSPs routinely deliver a wealth of common security functions that include antivirus and spyware detection, web and email content filtering, endpoint protection, identity access management, virtual private network connectivity, and data encryption, to name just a few. Combinations are bundled into subscriptions that integrate software licenses, hardware rentals and access to management portals.
Patch management and upgrades are staple features of managed security services, along with monitoring and alerting tools for threat detection and weekly security reports. These use data from security logs across networks, devices, applications, and other systems, and they scan for evidence of foiled attacks and proof of suspicious activity from internal and external players. Consulting is also part of the modern mix: identifying security vulnerability and risk assessment using, for example, penetration testing and/or red-team ethical hacking processes to test existing defenses.
What not to expect
And that’s what you get on the tin. Just don’t expect to get everything included as standard.
For example, services like remediation are not always built in to your managed security service as a standard. Rather, the work of cleaning up identified security threats usually comes as a premium option, something that may be beyond the budget and requirement of the average SMB. In most cases, the MSSP will just inform you if it has discovered some vulnerabilities or if a cyber-attack is imminent or underway. They will then leave you to figure out how best to remediate the threat, often hoping to generate additional business should you need to call upon them as the cavalry.
This can be a bit of cold-water shock. As Gartner noted in its Q2 2019 Magic Quadrant for managed security services, monitoring is one thing, remediation quite another. “For other organisations that have little-to-no security team and a lower security operations maturity, the expectations are that the MSSP will do more than just issue an alert and let the customer fend for itself,” it stated. “They need the MSSP to take an active role in analysing, triaging, and then disrupting or containing the threat, i.e. they need the MSS to act as a first-level incident responder for them.”
Access to qualified security analysts can also be minimal. Skilled staff are at a premium with MSSPs, too, so providers will limit the time they spend on the phone to ensure their precious people are held back to help only the most complex issues. Buyers should therefore check whether their service provision includes access to an actual analyst or if they are limited to automated reports delivered to their inboxes.
Similarly, don’t think that the MSSP’s engineers will come a knocking when there’s a technical problem. Though this can probably be arranged as part of a supplemental deal, and fee, the advantage of having all those security tools hosted centrally is the MSSP doesn’t have to leave their own data center to apply patches and upgrades and reconfigure services. Everything can be done through remote access.
How to choose an MSSP
That’s the pitch, and you know what to beware. How, then, should you choose an MSSP?
It’s important to find an MSSP that is flexible enough to offer a customized service that can fit your budget. The thing to understand is that not all of the bigger providers will deliver MSS as a standalone service without requiring parallel spending by you on their accompanying security products. Such services often come courtesy of specialist hardware and software suppliers who have a portfolio of existing security products they want to “add value” to. It’s therefore worth noting that there exists a whole range of other MSSPs. Some of these have converted from generic managed service providers and value-added resellers, and are able to mix and match different services from different providers to offer a more flexible set of options according to scale, performance, and budget.
Product resale constitutes an important part of the revenue stream here, so you need to make a close assessment of where your potential provider is offering something of genuine value, or whether they are simply trying to cut out the middleman so that you take on their products faster.
Having navigated that, what are the characteristics to look for in a managed service?
Ease of use is vital. So look for a provider with a web portal that provides access to threat intelligence and activity reports presented in an easy-to-digest format and that will, ideally, also give assessments of compliance status. The availability of APIs between on- and off-premises tools means MSSPs can feed security monitoring information into other systems and compliance management applications. This is another plus.
Something else to look for is security incident and event management that offers network visibility, email security, threat detection, log management, alerting and compliance reporting under one service. The full package may be too complex and unwieldy for smaller companies, but lighter versions that replicate some of the same functionality will be easier to implement, to manage and to finance.
Not everybody will want or need access to security analysts, but some will like to have the option to occasionally discuss threats with a professional. In that case, make sure your MSSP has sufficient staff expertise, and has a security operations centres that can deliver round-the-clock monitoring and alerting. Make sure that the MSSP’s skills and professed knowledge matches their own systems architecture and regulatory obligations and, where needed, are tailored to the compliance requirements of specific verticals, such as in finance.
The fine print of any contract will be critical, especially service level agreements that will commit the provider to defined response times to things like applying security patches to systems. It can also be a good idea to integrate some form of cyber-security insurance and make sure both sides understand where their respective responsibilities lie for any data breach, particularly when deciding where sensitive information is stored (by country or legal jurisdiction) and how it is processed.
MSSPs are a growing force in IT. While they are certainly expedient, choosing a supplier wisely is important given the complexity and risks involved. Before you enter any relationship, ensure you have a clear understanding of your own requirements, that you have fully vetted the supplier and that you understood their service offering. Finally, set out the terms of the ongoing relationship. Do all that from the outset, and you will hopefully save yourself headaches down the line.
Supported by SonicWall.