Years ago it would have been unthinkable to give up control to securing your most valuable assets. But for some companies the risk of handing the security keys to a third party is less than the idea of facing the daily barrage of attacks.
When asked why a company would cede control, many vendors said it depends on the level of staffing that company has. If the expertise is lacking, why take the chance. Or if it is a small to midsize enterprise, maybe there is just not a budget for creating a security staff up to the level needed. Therefore, partnering with a managed security services provider (MSSP) has become almost a must when faced with worries over data theft and the number of mobile devices entering the workplace.
MSSPs are specialists in IT security, said Alertsec’s CEO Ebba Blitz, and as they serve several clients they have the capability to be up-to-speed with advanced requests. “If a company is big enough to staff its own IT department, with the same capabilities, then they’ll most likely do that. However, if you are an SMB and don’t have the resources, then an MSSP may prove to be the better choice.”
However, Pat Patterson, vice president of strategic architecture at Optiv, wrote recently that choosing an MSSP should not be done simply to “throw the security responsibility over the fence.” “Hopefully the days are gone when security leaders believe they simply can hand their entire security monitoring and incident response programs off to third parties and expect to be successful. Engaging an MSSP will not fix a broken information security process. In fact, it can easily highlight poorly defined processes or areas where no process exists.”
Alvaro Hoyos, chief information security officer at OneLogin, said when debating outsourcing security it parallels the SaaS versus on-premise app argument, or the more recent IaaS versus build your own data center. Those two discussions are still being had, but the pendulum for a lot of companies has swung in the direction of cloud service providers.
According to a recent report from Trustwave, for a second consecutive year, the number of respondents reported that their security is installed and maintained entirely by their in-house IT staff and security teams dropped – this year to 67 percent. Twenty-six percent of respondent organizations are involved in a partnership between in-house teams and an MSSP. Another 5 percent delegate the entirety of their security solution set to an MSSP, and 2 percent answered “other.”
Trustwave’s report also stated as to their plans to partner with an MSSP, 43 percent already do, which rose from 39 percent in last year’s report. That stat is considerably more pronounced in the United States, where 53 percent of respondents already use managed security services – a 14 percent leap from last year. Another 40 percent overall plan to partner with an MSSP in the future, with 17 percent indicating such an arrangement appears unlikely.
Sign up for CIO Asia eNewsletters.