The trend for outsourcing cybersecurity to a managed security services provider (MSSP) continues an upward trajectory. What is driving it and what benefits do organizations get from working with an MSSP? Orange Cyberdefense SVP Global Marketing Tatiana Chamis-Brown sat down to discuss the key attributes of good MSSPs with Forrester VP Research Director Paul McKay.
Companies are outsourcing cybersecurity to specialist partners in increasing numbers. During the pandemic, the shift to enable mass working from home drove many companies to MSSPs for the security skills and expertise they needed at a testing time. Now they are benefiting from these skills to cope with increasing security threats.
Orange Cyberdefense Security Navigator report found that malware attacks proportionally doubled in 2021 versus 2020, for example. It’s something the average enterprise IT team can struggle to keep pace with, so handing it off to a third-party specialist makes a lot of sense. As Paul McKay told Tatiana Chamis-Brown, “We saw the trend continue into 2021 and into this year. So clearly the trend of organizations being more comfortable with the idea of outsourcing components of their security is going to be a trend that we see for the next couple of years.”
Another driver behind the increased use of MSSPs is the lack of available talent. It’s been reported that as of late October 2022, the number of unfilled specialist roles in the cybersecurity industry is 3.4 million. Further, the Fortinet 2022 Cybersecurity Skills Gap report found that 60% of organizations say they are struggling to recruit suitably-qualified candidates as well as keep hold of their current cybersecurity staff.
However, not all MSSPs offer the same level of service. Forrester has reported on MSSPs operating as alert factories that merely collect company log data and churn out low-value alerts. This practice doesn’t deliver any real value to enterprises. As Paul McKay comments, “Organizations tell us they get far too many false positives and alerts which are not really looked at properly by the provider, so are looking for providers to do two things. One, to provide more direct response capability using some of the technologies that's out there, [and] more guidance around remediation, particularly around things like vulnerability management and domains like application security and identity.”
Enterprises need MSSPs to operate as effectively part of the in-house team, and to have an understanding of the company’s internal teams and its business environment and daily operations. A good MSSP will take responsibility and deliver effective managed detection response (MDR) for its customer, for example. Detection and response takes time, skills, resources, and investment, and it’s a solid example of where an MSSP can take a hefty burden off the shoulders of an enterprise IT team.
It’s an area Orange Cyberdefense considers a central focus, and the MDR Buyer’s Guide is designed to help enterprises select the right detection and response solution.
The recent Forrester Wave™: European Managed Security Services Providers, Q3 2022 report found that many organizations still struggle with patching and updates. Organizations are typically home to thousands of vulnerabilities, and while traditional security mechanisms can identify them all, they aren’t up to the job of paring them down into a manageable list.
As Paul McKay said, “We're just finding there's too much information out there and customers and service partners are struggling to understand what's priority, what are the things that actually are going to be exploited in the wild, and what are the assets that actually matter?”
Orange Cyberdefense provides Managed Vulnerability Intelligence to help customers by taking a risk-based approach to vulnerability management. Its sensible not to try to patch everything, but to prioritize remediation actions based on criticality of assets and the severity of the vulnerability.
When engaging an MSSP, there are issues that can act as flags to potential suitability. According to both Tatiana and Paul, onboarding is a key issue, and the Forrester Wave report found that many organizations place great value on the MSSP onboarding process. Enterprises should watch out for potential partners simply going through the motions like just emailing across an Excel spreadsheet and asking the company to enter its various IP addresses and assets.
An effective MSSP will be proactive and present a defined strategy and answers to questions the enterprise hasn’t asked yet. As Paul puts it, “A green flag is that the provider has a very well worked out plan for how they will onboard the transition, realistic timeframes, and a prioritization of which log sources and use cases you onboard first by the priority of the use case.”
Again, it is about being a partner, not just a provider, and a good onboarding process is the foundation of a successful, sustainable relationship. By engaging an MSSP companies should feel they are adding an extension of the in-house team, that comes complete with a wide range of services, technology, and connections designed to benefit the business.
An MSSP should also be able to address enterprise data sovereignty concerns. Different regions around the world have different data sovereignty requirements and regulations. Paul commented, “There’s growing concern around data sovereignty and being certain about the location of data, the legal jurisdiction it is under, and being sure data is in compliance with the law in countries where the organization is based. And when Brexit occurred, there was an equivalence decision made between the UK and the EU, that can be revoked at any time by the EU should the UK diverge significantly from GDPR.”
It highlights the need for European organizations headquartered in the EU to work with MSSPs with both service delivery and data residency within the EU. Paul MacKay concluded, “The reality is that anybody wanting to deliver in a European context needs to have an answer for those questions, even if they may disagree with maybe of the drivers behind legislation. It becomes a mandatory requirement, and without it very difficult to convince clients that they should be entrusted with data.”
For your convenience, the full text transcript of this interview is also available. Read it here.