Trust is a big issue, said Richard Henderson, global security strategist at Absolute. “It can take a lot of trust and convincing to move to that model, but the simple fact that we’ve seen an incredible explosion in the MSSP space is proof that for those that use it, like it. Any security organization inside a small or midsized company should at the very least evaluate the possibilities of integrating some MSSP offerings into their world.”
He also added that there is a reality that security human resources are often hard to find, hard to keep, and hard to keep happy. “Many security positions are thankless jobs, and when things go wrong, the amount of stress placed on these employees can be staggering. And if you’re a company located in a smaller ‘uncool’ city, it can be difficult or impossible to recruit top-quality talent.”
Cisco’s 2017 Security Capabilities Benchmark Study found that most organizations rely on third-party vendors for at least 20 percent of their security, and those who rely most heavily on these resources are most likely to expand their use in the future.
Rod Murchison, vice president of product management at CrowdStrike, said with the increased volume and sophistication of cyber threats that organizations must deal with, there is a value proposition to working with an MSSP, whether for all or part of your security operations. “Some MSSPs are able to work with security solution providers through APIs, creating truly unique offerings that unlock real value while minimizing complexity for the end user. This level of sophistication and integration can provide MSSP customers with the perfect combination of capabilities to protect their particular network.”
In some cases for companies struggling or for startups, Trish Tobin, FireEye's director of product marketing, said MSSPs can assist security leaders in designing the overall program, building the SOC, training staff and providing incident response. “As their security programs evolve, organizations strive to improve threat detection and incident response capabilities. More often than not, they are constrained by a lack of skilled security expertise as well as lack of visibility into new techniques being used by targeted threat actors.”
Scottie Cole, network and security administrator at AppRiver, favors a well-trained in-house security team over a managed security service. In-house security teams understand the requirements for both the company’s security needs as well as the company’s goals. “The downside to an in-house security team for many companies is the cost to maintain the team. Well trained, quality talent can be expensive to employ. Another added cost is continuing education for the team, whether it be for trainings, seminars, or re-certification.”
If cost is an issue, then a managed security service is the next best thing, Cole adds. “There are many companies that offer high quality, well-trained individuals who can come into a client’s location and immediately assist with the client’s security needs. The plus side to using a managed security service is that the service usually has a larger pool of talent to draw from. Depending on the client’s wants or regulatory requirements, the managed service can find an expert or team of experts to support the client’s needs.”
Sign up for CIO Asia eNewsletters.