2 November 2022
Tatiana Chamis-Brown: Hi, I'm Tatiana Chamis-Brown. I lead global marketing at Orange Cyberdefense. And I'm joined with Paul McKay, who is VP Research Director at Forrester. And Paul, you lead Forrester's research activities in the security domain and one of the reports that you and your team authored was the Forrester Wave: Managed Security Services Providers in Europe. Published a few months ago.
I wanted to start asking you about one of the trends that you picked up from the report. You've seen an increase in the number of organizations that are, instead of managing their security in house, they're opting to outsource that to a managed security services provider. Can you tell us a little bit more about what's driving this?
Paul McKay: Sure, of course, Tatiana, and thank you for the welcome.
So there are two key trends driving this.The first is that we see at the beginning of the pandemic, we saw security organizations were having to move completely to a work from home model. So the technology landscape changed almost overnight in some cases. But because of the cost pressures of the pandemic, many people were forced to go on furlough, budgets were cut for hiring. So organizations had to figure out how to deliver the same kind of activity for less investment.
And in some cases, many organizations turned to managed service providers, even for those organizations that weren't directly impacted by the pandemic in any kind of financial sense, still had some difficulties in finding the right talent in the security market, which we'll come onto later.
But from my perspective, that change in perception in the market allowed managed services organizations to step up to the plate and support their customers during a very difficult time.
We saw that trend continue into 2021 and into this year. So clearly that trend of organizations being more comfortable with the idea of outsourcing components of their security and being quite thoughtful about doing so is going to be a trend that we see for the next couple of years.
Tatiana Chamis-Brown: So, one thing that you commented there is on the access to scarce resources in cyber security. I've seen a number of about 3.5 million vacancies. And one of the reasons our customers partner with us is to access skills like threat hunting, like the forensics, which they might not have access to in-house.
And also we are seeing a lot of demand for organizations that want a coherent partner managing not just the traditional enterprise device management perimeter, but also monitoring, detecting, and responding to incidents on their behalf, right?
And that's where the value is that they're saying.
Another trend you noticed was the so-called Alert Factory approach that some of the players in the market have, not Orange Cyberdefense of course, and how this is not adding value to organizations looking for a managed security services provider. I wanted to ask you, what does value add look like? What are enterprises expecting from providers beyond the alerts themselves?
Paul McKay: So, I think Tatiana, there are two words that you used in your question, which I would use to answer the question itself. The first is response, and the second is remediation. So, what organizations' tell us they are looking for is they kind of got fed up with the idea that much in the same way as when you have a delivery through something over your gate and the package lands in the garden and you think is the package broken? Organizations were getting far too many false positives and alerts that are supposedly been triaged, which were not really being looked at properly by the provider. So the organizations were looking for providers to do two things. One, to provide more direct response capability using some of the technologies that's out there, primarily EDR and XDR as it's now evolved to. And the second is more guidance around remediation, which I take in the context particularly around things like vulnerability management and also domains like application security and identity.
And the reason they're looking for that is that they want their provider to be a partner, a genuine partner, somebody that's going to be part of their team, and there's almost no differentiation between their internal folks and the provider's staff. They know the environment, they know the context, so they're really looking for that customer intimacy from the part of the provider. And they're also looking for a more flexible and partnership driven approach rather than just simply throwing events at incidents and being a bit of a table tennis match between the provider and the client as to who's responsible for sorting things out.
Tatiana Chamis-Brown: So, noted action without response, and of course our MDR services include both. I wanted to touch on something else from the report. You were looking to how different providers offer vulnerability management services and the fact that many organizations struggle to patch everything and that to focus on where it really matters into intellectual property coming from the provider was instrumental. Can you give us a little bit more information about that?
Paul McKay: Sure, no problem, Tatiana. So when we were speaking to customers in the research and also my observation from the customer interactions I've had before the research, we were hearing a lot for vulnerability management services particularly, that everybody can run the basic technology that scans the infrastructure, it tells you everything that's wrong. The trouble is that there's often thousands, tens of thousands sometimes of security vulnerabilities, but many of the traditional security mechanisms that are used to classify vulnerabilities just aren't good enough at cutting that down to a manageable list, which you can share with other stakeholders in which a service provider can meaningfully work through. So we're just finding there's too much information out there and customers and service partners are struggling to understand what's priority, what are the things that actually are going to be exploited in the wild, and what are the assets that actually matter?
So one of the things that differentiated some of the providers in the space was their ability to use some of their IP or partnerships IP with some of the technology partners to help to make that problem more manageable so that when they're reporting on vulnerabilities, they're prioritizing the stuff that really matters and helping to execute clients' programs for them by helping to project manage some of the remediation activity. So from my perspective, where this was being done, the value perceived from the service was much higher for those clients that were getting that kind of service where they were getting the more traditional kind of service. It was really quite frustrating for them, and that still continues to be the case in many organizations.
Tatiana Chamis-Brown: Because they weren't having to deal with, I think 18,000 of vulnerabilities every year. They were having to address a much smaller number of that. So the provider was able to then, on the one hand, understand what the critical assets were for that organization, but on the other hand, also have the intelligence and understanding what potential vulnerabilities, threat actors might be likely to explore for that organization and joining of course that together to make sure that remediation was much more targeted.
Paul McKay: Exactly, yes.
Tatiana Chamis-Brown: Well, you identified that many organizations place a lot of value on the onboarding process when moving on to a managed security services provider. Can you tell us what are the red flags or maybe green flags that organizations should watch out for when choosing a partner?
Paul McKay: So I think probably the biggest red flag, and thankfully this doesn't happen in quite the same way as it used to when I first started doing this wave a number of years ago, is when a provider turns up with an Excel spreadsheet and says, Can you fill in the IP addresses and assets that you have? So that's definitely a red flag, but in a more positive sense, I think we see a green flag is that the provider has a very well worked out plan for how they will onboard the transition. The timeframes upon which they're doing so are realistic. You can see that there's a prioritization of which log sources and use cases you onboard first by the priority of the use case for the particular organization. So if you can see those things in place, it sounds quite basic, but just the fundamentals of delivering against your promises and putting things in when you see you'll put them in is really at a heart of a lot of frustrations that clients have with a lot of service providers in the market.
Now, my general reflection on customer interviews is that when it's their fault and it's the change process in their organization that holds stuff up, they're pretty happy to say, Yep, that was us. But in many cases, it's shortcomings on the part of the provider. So basics around project management, clear prioritization of what matters to be dealt with first, and a clear approach around asset management that focuses on not just the 10 and the IP addresses, but also something that focuses on the fundamentals of which assets are more critical, and how do you keep that list constantly refreshed and up to date. So those would be the things that I would look out for.
Tatiana Chamis-Brown: Yeah, that partnership approach you described having not only the technical expertise but also the flexibility to understand the organization's context apply also that technical expertise and services to that specific situation. It is key and it's one of the things that our customers value in our approach with them. Paul, you included data sovereignty in European service delivery as one of the criteria in the report this year. Can you share a little bit more about why this was so? What are the considerations that organizations with operations in the UK and in Europe need to take into account when choosing a managed security services provider?
Paul McKay: Okay, so data sovereignty and European service delivery is quite an interesting set of criteria. So it's in there because it's mostly driven by customer demand. So one of the things we see quite clearly, not just here in Europe, but we're also starting to see similar patterns, emerging parts of the Middle East and also in parts of Asia Pacific as well, is that there's a growing concern around the topic of data sovereignty and being certain about the location of data, the legal jurisdiction that that data is under, and also being sure that that data is in compliance with the law in countries where the organization is based.
Now, where that is being delivered by a service partner, they also need to make sure that the same things apply. What's also happened in the market, aside from that in a broader geopolitical context, is you are seeing a broader kind of vulcanization of the internet where you see Europe in particular moving ahead to try and build more sovereign services and becoming more sensitive to certain types of workloads, particularly in clouds, workloads and hyperscaler environments being deployed in ways that could potentially allow access outside of the jurisdiction of the European Union.
Now, with the UK and the EU, specifically when Brexit occurred, there was obviously an equivalence decision or an adequacy decision, which was made between the UK and the EU. But at the moment, that can be revoked at any time by the EU, should the UK diverge significantly from the EUs GDPR. In practice, what we found is that many European organizations that are headquartered in the EU have a strong preference for both service delivery and for data residency to be within the EU, because you have that certainty of the application EU law in ways that are consistent and doesn't open a compliance risk or a threat to data for an organization.
Now, in many cases, this is to satisfy legislative aspects or cultural preferences or demands, but the reality is that anybody wanting to deliver into European context needs to have an answer for those questions, even if they may disagree with maybe some of the drivers behind some of the legislation and the client sentiment. So it becomes a mandatory requirement, and without it becomes very difficult to convince clients otherwise that they should be entrusted with the data.
Tatiana Chamis-Brown: So, having the ability to support organizations who remain compliant in Europe, but of course worldwide is key, and Orange Cyberdefense having locations closer to our customers, we're well placed to do that. Thank you, Paul.
Paul McKay: Thank you, Tatiana.