Although perhaps reluctant to admit it, security professionals are caught between a rock and a hard place. Three key market trends mean that they are under more pressure than ever before, with the pain only set to grow: the scale and effectiveness of the threat landscape is growing; regulatory reforms add a growing burden; and with ever more CIOs marching to the beat of digital transformation, the CISO is exposed to ever greater levels of risk.
In the face of this triple threat, existing resources and approaches towards security are being exposed as insufficient to maintain the status quo for enterprises. In large part, this is a question of resources. With no let-up in sight for the global security skills shortage, none but the very largest banks, telcos and government bodies are able to provide the scale, variety and degree of activity required to attract and retain skilled professionals.
Ready to step into this gap is the growing ecosystem of managed security services (MSS) providers. For starters, these are the organisations that are winning the global security skills arms race. MSS providers can boast not just robust talent pipelines and development opportunities, but also the ability to offer employees varied and interesting work supporting multiple clients internationally.
Security professionals increasingly accept that MSS is at least part of the answer, albeit this acknowledgement is often grudging given the typical cultural response that requiring third-party support is an admission of failure. However, the sheer scale of the triple challenge outlined above means that gaps are appearing in enterprises' ability to deliver security. In fact, "gaps" is the operative word here: enterprises are taking a pragmatic approach to the engagement of MSS providers, using them to plug deficiencies in resourcing.
Consequently, a common approach to engage MSSPs is to use them as a means of redistributing internal resources away from the lower value and repeatable activities such as "security device" (e.g., firewall, IPS) management. This allows enterprises to free up their internal resources to focus on critical activities such as encryption management. However, as MSSPs demonstrate their capability to customers, it is common that they are rewarded with greater responsibility. It is in this way that, over time, strategic relationships are formed.
Although a compelling argument, there is more to MSSPs' armoury than the ability to plug resource gaps. For example, MSSPs' investment in automation and industrialised delivery models means that they are able to provide these services at a more effective price point than in-house delivery. Further, engaging third-party providers on a managed service basis offers greater cost transparency than in-house delivery.
Enterprises, and particularly their security teams, remain cautious with regards to the engagement of MSSPs. There is good reason for their caution, with the perfectly reasonable concern that their jobs may be at risk. However, the scale of the challenge means that utilisation of in-house resources is unlikely to be a concern in the foreseeable future. Further, given the risk that the externalisation of security operations to a third party may erode visibility into the organisation's security posture, IDC believes that mixed teams, involving both internal and external resources, are best practice.
MSSPs must be careful to craft go-to-market messages that address not just the cost and capability benefits that they provide, but also how they can maximise existing investments and resources. Those that are able to walk this tightrope will be well positioned to take advantage of intensifying demand.
Complete the IDC Cyber Risk Assessment for help making informed decisions around cyber risk strategy and to understand the benefits associated with increasing your readiness in the face of evolving threats.
Dominic Trott is research manager for IDC's European Security Research team, covering both products and services.