As enterprises rapidly digitize more business processes with cloud computing, mobile, IoT, and data they are straining their ability to find the security talent they need to secure their systems.
According to the Global State of Information Security Survey (GSISS) 2017 -- a worldwide study conducted by PwC, CIO and CSO released this month - skilled cybersecurity professionals are hard to come by — and continue to make enterprise IT security all the more challenging. Many enterprises are attempting to close their skills gap by turning to managed security services. According to the survey, 62 percent of respondents use security service providers to operate and enhance their IT security programs.
“Depending on who you believe, the MSSP market is growing between 10% and 15% compound annual growth rate and it’s been near that range of growth for quite some time. So, not exploding but solid, steady growth – because of the factors I mention above,” says John Pescatore, director of emerging security trends at SANS.
“To deal with the changes in threats and the increased business use of cloud and BYOD, enterprises found they didn’t have the skills and they focused on trying to hire people with those skills – which is very expensive, since you have to offer high salaries to steal them from their existing jobs,” says Pescatore. “Outsourcing as much as possible to an external service, either a full MSSP or point security as a service provider, is one way to fill the gap,” he says.
The 10 percent to 15 percent compound annual growth rate aligns with a recent study from Markets and Markets which expects the cyber security services market to reach $202 billion by 2021, growing from $122 billion now at an annual clip of 10.6 percent. According to that report, over that same time period application security is expected to grow the most swiftly, with aerospace and device being the largest buyer of security services, following by government and public utilities, IT, and telecommunications.
Carson Sweet, co-founder and chief technology officer at CloudPassage, says competitive pressures is another reason why enterprises choose to outsource so that they can focus on core areas of the business. “Most businesses aren’t going to differentiate on e-mail or CRM, so they outsource those functions and allow their internal resources to focus on technology that does differentiate them competitively,” Sweet says. The same is true for many businesses and information security.
While enterprises are more comfortable today with outsourcing security, the GSISS survey found that most of the outsourcing today consists of authentication, data loss prevention, identity and access management, real-time monitoring and analytics, and threat intelligence – each ranking around 50 percent or higher.
Not everyone is convinced that the current trend toward outsourcing security functions will remain intact.
The idea, in theory, is that such “commodity” cybersecurity efforts could be offloaded to security service providers who can hire skilled technologists who staff a security operations center 24 hours, seven days a week. This would free internal resources to focus on other areas. “But for many security sensitive enterprises (lots of financials and ecommerce, or “digital businesses” companies) most of security beyond routine alarm monitoring is too tightly wrapped around critical business processes and very sensitive data/algorithms – they are the ones investing in “plussing up” the skills of their security staff,” says Pescatore.
“The pendulum will swing back as it did with monitoring services, where folks tried to run it themselves, failed and then sent it to MSSPs,” says Art Gilliland, CEO of Skyport Systems. “But the challenge with MSSPs is that they lack the context of the enterprise and so they can only deliver lowest common denominator security. Organizations will ultimately figure out which capabilities they can check box, outsource those and hire and run the other capabilities in house.