Recently I heard from a CISO who described the state and mood of his IT security team when he joined the company roughly 18 months ago. "Rudderless" was one word he used. "Defeated" was another.
His immediate objective was to stabilize what was left of the group. To do that, he required resources, support and investment. Ultimately, he wanted to grow his team and make his company a desirable destination for talented security professionals who want to be challenged.
"But you can't do that stuff until you hit the basics," he said. "And that's where we were looking for help: with the blocking and tackling…Then I could recruit for the cool stuff."
The CISO sought help from a managed security services provider for tasks like managing vulnerabilities and devices, and triaging alerts. In doing so, he became just one of countless security leaders who have recognized the value of MSSPs that provide end-to-end cover and amplification for organizations that lack the internal capabilities. Sometimes it is the basic security stuff, sometimes it is the more advanced stuff, sometimes it is everything.
Nothing is quite as terrifying as the fear of the unknown - and that includes advanced cyberattacks (including ransomware) executed by highly motivated adversaries. Simply put, resource-deprived organizations will struggle to detect and impede these threats across all of the vectors they must defend and respond to. But MSSPs can step up to the plate through the knowledge and specialization they acquire from breach investigations, threat intelligence fed into their security operations centers, telemetry captured from their security technologies and, of course, old-fashioned nose-to-the-grindstone research.
Have you ever been excited about a purchase until you opened up the box and became overwhelmed by how to put all the parts together? The same goes for security products, which often are jettisoned because of their complexity. Unused or underutilized security products - commonly referred to as shelfware - present two sets of problems: First, they waste money and second, they sit collecting dust without helping to achieve their purpose. MSSPs don't get paid for unimplemented systems. By definition, they have the skills and time to deploy any system they manage.
If you've heard it once, you've heard it a million times: There is a glaring skills shortage in the information security profession. And speaking of million, one analyst firm projects there will be 1.5 million unfilled security positions by 2020. What complicates matters even further is that security is getting harder to do because your foes are getting more advanced at avoiding detection and are capitalizing on the many avenues of attack at their disposal. MSSPs are one way to close this troubling talent gap.
Despite security spending increasing, the needs faced by organizations continue to generally outpace available funds. Further confounding the budgeting process is that - because of the multi-faceted nature of the threat landscape - forecasting future security outlay is an inexact science. One way to mitigate the uncertainty is to ally with MSSPs, which can help you save money on expenses like security operations centers, upfront capital costs for best-of-breed systems, recruitment and training, and new headcount (which may be difficult to obtain).
As mentioned in the CISO anecdote above, some companies prefer that MSSPs only help them address their foundational security elements. These responsibilities can be burdensome to resource-strained entities, especially ones facing a growing attack surface. MSSPs can help automate tedious, labor-intensive tasks across locations.
On the other hand, some organizations choose to handle the basics in-house and offload the security responsibilities requiring the deepest skill sets to a partner. MDR service providers are often flush with talent and are adept in the more intricate (and increasingly critical) disciplines of security, including penetration testing, threat hunting and incident response.
While most organizations initially assume the primary benefit of an MSSP is to improve security outcomes, the accelerated pace at which MSSPs permit security to be deployed and maintained can actually speed up IT projects that affect the top line of the business. So instead of being stuck in a security quagmire, you can hand off this predicament to an MSSP, freeing you up to guide the IT team's efforts toward ROI-generating work.
Nobody knows the digital confines of your organization quite like you do. But as more businesses shed their prevention-focused mindset - and more ambitiously consider the importance of detecting threats before they can cause harm - turning to an MSSP, which has the intelligence reach to uncover things you didn't know were happening on your expanding network, will come in handy.
So there you have it: the primary reasons why organizations say they are growing progressively comfortable with partnering with a managed security provider. And given the threat and business drivers at play here, such an arrangement soon will become essentially mandatory, if it hasn't already.
Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.