Job security remains high for experienced IT professionals – and even more so for those who possess skills in security, privacy and risk management. Cybersecurity Ventures, a research and market intelligence firm, predicts that there will be 3.5 million unfilled positions in information security by 2021, up from roughly 1 million in 2014. As companies struggle to fill vacant cybersecurity positions, cyber-criminals are now making $445 billion annually from their exploits, according to Harvard Business Review.
IT leaders know they must bolster security defenses, given the time and cost involved to deal with large-scale incidents. The average size of data breaches has grown 1.8% in the last few years, and spans 24,000 records, according to a study from IBM Security and the Ponemon Institute. The average detection and escalation costs for activities such as forensic investigations, assessments and audit services has grown from $730,000 in 2016 to $1.07 million in 2017; data breach notification costs have also gone up accordingly.
The challenge is hiring people with experience and skills in security as the field becomes more specialized and the attacks more wide-ranging. From malware and ransomware to forensics and incident management, insider threats, DDoS attacks and mobile device security, there’s simply too much to know for even a handful of IT security people--if they can be recruited. Salaries for talented cyber security professionals can run in the mid-six figures or higher, and there’s the problem of turnover as well. These are troubling barriers for small to midsize companies as well as those operating from less-desirable cities and rural locations.
Certainly, the growth in security SaaS solutions is helping, with affordable solutions that handle the low-level automation work required to filter data streams, detect suspicious behavior and alert IT professionals about impending threats. Yet human beings are still needed to make decisions about this data, investigate issues and resolve them quickly. There’s also an ongoing need for strategists who understand the technology marketplace, can recommend and optimize solutions, and implement policies and guidelines enabling the organization to be proactive on the security front. IT service providers report that the service area most in demand by their customers is security, according to a survey NetEnrich conducted in 2017.
The talent crisis has some IT service providers searching for alternative approaches by partnering with Managed Security Solutions Providers. MSSPs can offer a stable base of skills, knowledge and reliable service to companies across many industries. When an urgent need arises, the MSSP can scale up quickly to take care of the problem, and then scale back down into an active monitoring position. It’s difficult for even large companies to have that flexibility.
Market Research Engine identified four factors that are driving the global managed security services market’s growth over the next few years:
- Increase in cybercrimes that target enterprise networks;
- Growing regulatory compliance and data security laws;
- Security recruitment and budget limitations;
- Rising acceptance of cloud-based services.
The MSSP advantage
Businesses of all sizes and verticals are beginning to embrace outside help, as MSSPs possess up-to-date skills, qualifications and technological expertise to remain ahead of industry trends. When talking with prospects, here below are some points to emphasize:
- Better economics: Adequately protecting a complex environment will not come cheap no matter how you slice it—internally-run or outsourced—but MSSPs offer some advantages. First, converting variable IT costs from a reactive mode of support into predictable, monthly costs helps with budgeting and planning. Second, MSSPs help an organization be far more proactive with security, which means less incidents and the avoidance of a major breach which can be financially catastrophic.
- Diverse, expert knowledge base: MSSPs employ teams of professionals with experts across core areas such as perimeter and application security, vulnerability scanning, threat detection and compliance monitoring. These individuals have years of experience across multiple roles such as security analyst, security engineer and penetration tester. By coming together, they can offer a comprehensive, on-demand security team for the customer. MSSPs deliver additional value if proficient in security infrastructure operations and strategy.
- Certifications and best practices: As part of their role, security leads and their teams at MSSPs are required to maintain current certifications, such as CISSP, CISM and CompTIA's Security+. Employees are also encouraged to pursue advanced credentials to stay ahead of trends and industry best practices. Given their combined experience and from serving hundreds of clients across many industries, MSSP teams encounter few problems they haven’t already tackled. They can draw on the experience of other team members to overcome new and complex challenges, whereas internal security professionals may not have the time nor incentives to collaborate in this way.
- Up-to-date, all the time: Internal security teams often struggle to stay ahead of the curve. This is not because they aren’t bright enough nor lack good software, but because threats evolve so quickly that their capabilities fall behind. Then they’ve got to upgrade technology and train staff on how to deploy and use the latest technologies. The cycle repeats continuously. Since the only business of the MSSP is security, they must be experts in a wide array of technologies and the related skill sets to stay viable in the marketplace. Managing complexity is job-number-one of the MSSP, but not necessarily that of the internal security team. They must serve the day-to-day needs of the business and have a limited knowledge base from which to draw.
- Highly proactive: Most MSSPs use cloud-based infrastructure to deliver services. This gives providers agility, flexibility and a resilient infrastructure to cost-effectively manage hundreds or thousands of clients at once. It also means that the MSSP can be extremely proactive on behalf of the companies they are protecting. If a new piece of malware is identified at one client site, the MSSP can quickly apply the appropriate patches or remedies across its client base before anyone notices the threat. That level of rapidly-shared and deployed knowledge is rarely possible within a corporate IT security department.
MSSPs have an increasingly viable role to play in the information security marketplace. They can be a central place for technology expertise and security best practices. They can take care of any problems that arise, so that the customer can focus on their core business. They do all this efficiently and expediently; when it comes to preventing incidents from becoming disasters, accuracy and speed is critical. MSSPs, too, must grapple with the war on talent for security professionals. Yet given the wide variety of work and complex challenges that an MSSP can offer to its workforce, the best and the brightest may flock to these organizations first.