It’s no secret that more organizations are turning to managed IT services.
A recent report from Frost & Sullivan uncovers one reason why managed security services, specifically, are taking off like wildfire: a shortage of security professionals. According to the report, businesses are feeling the strain of that shortfall already.
Configuration mistakes and oversights, for example, were cited by 65 percent of survey respondents as a “top” or “high” concern. In addition, “remediation time following system or data compromises is steadily getting longer”, the report read.
“The net result is that information security professionals are increasingly cornered into a reactionary role of identifying compromises, recovering from mistakes and addressing security incidents as they occur rather than proactively mitigating the contributing factors.”
More than 60 percent of respondents to the survey – a joint effort by Frost & Sullivan, the International Information System Security Certification Consortium (ISC2), consultancy Booz Allen Hamilton and security professional placement firm Cyber 360 – said their companies have too few information security professionals, compared to 56 percent in the 2013 survey. Frost & Sullivan estimates that the shortfall in the global information security workforce will reach 1.5 million jobs by 2020.
The 2015 Global Information Security Workforce Study, conducted online from October 2014 to January 2015, polled almost 14,000 security professionals from small, midsize and large companies in a number of industries.
The security staff shortage, coupled with a growing number of security threats, is posing a tricky situation for organizations across the board. They plan to respond by increasing their investment in security technology, in-house personnel, and outsourced security services.
About 30 percent of survey respondents said they plan to increase spending on managed or outsourced security services in the next 12 months. Aimed mostly at augmenting security teams, rather than replacing them, outsourcing is an increasingly popular option for a number of reasons, including a “lack of in-house skills” (49 percent), a “temporary need for flex force capacity” (30 percent) and “recruiting limitations” (26 percent).
The rising cost of security operations is playing an important role as well. “It is less expensive” was cited as a reason to outsource by 30 percent. Twenty-three percent named outsourcing as a means of “alleviating the burden of tedious tasks”, and 18 percent cited “difficulty in retaining staff”.
Of course, outsourcing one’s security operations requires due diligence and caution. The service provider needs to be reliable, trustworthy and qualified.
Respondents to the Frost & Sullivan survey looked at a number of factors when sizing up security service providers. The number one criterion in selecting a provider, cited by 55 percent, was pricing. Next, they want a provider to stand behind its product with a service-level agreement (cited by 50 percent).
Forty-nine percent of respondents said they choose a provider based on the quality and number of security people, 33 percent use the number of years in business as a key criterion, 30 percent cited breadth of service, and 22 percent cited brand name.
And the security operations most outsourced by survey respondents? Threat intelligence, research, detection, forensics and remediation (40 percent). Number two, with 37 percent, was security asset management and monitoring (firewall and intrusion prevention systems, for example), and number three, with 28 percent, was risk and compliance management.
Here are the top three ways that survey respondents said they’re using professional security services:
– Implementation services (integration, installation, migration, lifecycle management) – 34 percent
– Technical services (audits, breach management) – 34 percent
– Security advisory services (strategy, governance/compliance, training) – 26 percent
Cloud-based security services, otherwise known as SECaaS, were placed in their own category in the Frost & Sullivan report, although they’re still considered part of the outsourced security services landscape.
There’s no question that more organizations perceive the cloud as a priority, but security concerns around cloud services persist.
Among survey respondents, 43 percent said using cloud services is currently a “top” or “high” priority, while 57 percent said it will be so over the next couple of years. Yet concerns are legion, with the most prominent being data breaches (76 percent), data loss (73 percent), account hijacking (61 percent), malicious insiders (59 percent) and insufficient due diligence (57 percent).
Ultimately, service providers hoping to win new contracts – and mindshare – will need to allay organizations’ concerns about using the cloud to manage security operations.
Respondents said they’d like to see providers acquire specialized cloud security skills. “Application of security controls to cloud environments” was named by 66 percent, “knowledge of risks, vulnerabilities and threats” wasn’t far behind, with 65 percent, and an “enhanced understanding of security guidelines” was cited by 62 percent.
The old adage positing that “knowledge is power” holds sway here, as it does elsewhere, and one of the best ways for MSPs to assuage fears will be to gain as much expertise as they possibly can.
The more confident businesses are in a service provider’s ability to keep their systems and data safe and secure, the more likely they’ll be to hand over the keys to their security operations.