In the next 5 years, spending on managed cyber security services is expected to increase by nearly 50%—from about $31 billion to $46 billion. This is just a fraction of the $100 billion or so that companies spend worldwide on security services, software, and hardware. The question is: is it worth it?
On the one hand, cybercrime is projected to cause $6 trillion in damages in 2021. This means that, at an incredibly simplistic level, if the global security spending could reduce these damages by even one fifth, then companies could gain a 100% ROI on that security spending. On the flipside, you’re probably already spending money on cyber security: maybe you have web application firewalls (WAFs) setup to limit malicious traffic, or you’ve got a team onsite to manage security, or you’re relying on cloud vendors to ensure that your data stays safe—and you’re not sure that you’re getting much bang for your buck.
The right security approach is something that all businesses have to figure out for themselves—no one can tell you how best to weigh spending and costs against application vulnerabilities. That means you need to take a hard look at the threat landscape for your industry, the cyber security tools and tactics that are available to you, and potential cost implications of those tactics to figure out if an MCSP is the right call.
What Does the Cyber Security Landscape Look Like?
Before we dive into the different technologies that might apply to your particular IT infrastructure, let’s talk a little bit about the global cyber security situation more broadly. On paper, things look pretty dire—especially for industries like healthcare and banking that are the most frequent targets of cyber attacks. But where are those attacks targeted, and what are the actual business implications?
Let’s start at the root: 90% of hacks are attributable to human error. Sometimes, this takes the form of an employee who hasn’t been trained on cyber security issues opening up a phishing email and unwittingly downloading malware. Or, there’s a bug in a client facing application that enables them to hijack a particular form field to gain access to information they shouldn’t have. You also see situations where the human error at the heart of the problem is a configuration error, potentially even a configuration error in a web application firewall (WAF) or another piece of technology designed to improve your security.
This last type of pitfall can be more common than you might imagine. WAFs in particular are often difficult to set up, and small errors in the installation process can leave vulnerabilities open to exploitation. When hackers do exploit these vulnerabilities, the results can vary: In some cases, you’ll detect the intrusion immediately and only suffer a short stretch of downtime. In a more troubling scenario, a breach might go unnoticed for months on end, resulting in considerable damage to your corporate reputation when it’s finally disclosed and dealt with.
How Cyber Security Impacts Costs
In the COVID-19 era, things aren’t improving. In fact, the FBI has reported a 300% increase in cyber attacks since the start of the pandemic. As you can imagine, this is putting more and more bottom lines in jeopardy, as each of the pitfalls we sketched out above can present serious cost implications.
Even large breaches often take months to uncover, but when they are they can have serious effects on how your business is perceived—potentially resulting in a drop in stock prices. In fact, share prices fell an average of more than 7% following a data breach. And that’s just from the damage to your reputation. There’s also the actual work of dealing with your security issues after they’ve been made glaringly obvious. One study showed that a billion-dollar company will spend an average of more than $4 million working to recover from a data breach. This number comes from any number of activities that will be necessary after the fact—from resetting the security of the compromised information or account, to the administrative work that comes from managing compliance issues, to actually making changes to your IT infrastructure to prevent similar attacks in the future.
And yet, day-to-day budget realities don’t leave your average CISO a lot of room to consider eye-popping figures like the ones above. In fact, it’s not uncommon for organizations to leave known security vulnerabilities unresolved because it would simply consume too much time and too many resources to fix things properly. It’s unlikely that anyone’s a fan of this status quo, but it’s not always clear what the best alternatives are. For cyber security tactics to be feasible, they need to be truly lightweight and cost effective—and in-house management that takes countless hours to patch vulnerabilities (potentially slowing down time-to-market in the process) is rarely either of those. Even something as straightforward as upgrading legacy applications that don’t meet modern security standards can put decision makers in a bind—if, for instance, those upgrades have the potential to have disruptive ripple effects across your entire technology stack and slow down a given team’s ability to do its job efficiently.
What Are Your Cyber Security Options?
If you’re reading this, we’re guessing that the status quo isn’t the best option. Maybe you’re weighing the pros and cons of rethinking the way you manage the risk associated with your applications and APIs. So what are your options? On the simplest level, in terms of cyber security costs, you can spend your budget dollars on some combination of:
- Internal security staff—potentially ranging from cloud deployment experts to trained incident response teams to penetration testers
- Security solutions—whether that’s in the form of antivirus, WAF, application shielding, encryption, or some combination thereof.
- External staff—e.g. consultants, outsourced security testers and incident response teams, managed services, etc.
Here, your knee jerk reaction might be to say that the more you’re able to rely on internal staff, the better. This is a completely reasonable viewpoint, and for the very few companies where it’s feasible it can absolutely be the right move. But here’s the catch: 80% of survey respondents say that finding security professionals is harder now than it has ever been. Simply put, there’s not enough talent to go around—and two-thirds of security professionals say that that shortage has a real negative impact on their security operations. Perhaps this is why only 20% of companies report having mature SecOps.
So, for companies that already have the in-house expertise to implement the right technology, configure it properly, and keep it up to date, a high ratio of in-house capacity to external help is doable. For companies that don't already have the in-house knowledge? It’s going to be difficult and costly to get the right professionals with the right experience to come on board as full-fledged employees. This is made even more difficult by the sheer diversity of experience and know-how it takes to optimize your cyber security efforts. Not only do you need to stay consistently up-to-date on the latest threat landscapes for your industry, you also need to understand the security risks and implications of every piece of software (or hardware) you use, plus the requirements for configuring them together in a way that doesn’t leave any gaps. You might have the world’s best incident response team, but even they’re going to be too overwhelmed to right the ship if the team in charge of actually covering the security vulnerabilities in your legacy apps doesn’t know what they’re doing.
What to Look for in Your MCSP
Okay, we’ve seen the ways that cyber security can have serious cost implications, and why scaling up your internal security teams might not be a feasible strategy for managing those costs. This brings us more or less full circle—insofar as it shows why their projections for managed cyber security services are so bullish. After all, if you can’t keep your systems and data safe with the tools, technology, and personnel you have in house, why not turn to a team of experts?
Of course, not all MCSPs are created equal. If you decide to go the managed services route, there are a handful things you should look for in the vendor selection process:
Your web apps are going to be some of your most vulnerable touchpoints, which means your services provider should offer some way to cover them. In the past, this might have looked like a WAF, but today you might be better off with application shielding technology that’s designed to cover known vulnerabilities at the HTTP level without slowing down your systems. In this way, you can more effectively bridge the remediation gap—i.e. you can protect known vulnerabilities for as long as needed, such that you have the flexibility to perform code remediation on your own timetable within the context of your larger operations, rather than having to panic to protect your data. This has the added benefit of potentially letting you extend the lives of legacy applications, thereby minimizing disruptions to your workflows.
Incident response and penetration testing:
One of the other reasons you might want to look for a provider who stays away from WAFs is that they tend to produce a lot of false positives. The result is that your teams run the risk of alert fatigue, and thus worse responses to real cyber attacks. Of course, your managed cyber security services provider shouldn’t be at risk of alert fatigue—in fact, they should be able to demonstrate a clear incident response plan to you before you start the engagement. This plan might also include proactive steps like pen testing to uncover vulnerabilities in your applications or ecosystems.
Maintenance and configuration:
Like we said above, security flaws due to misconfiguration are shockingly common—not just because of human error per se, but also because of the specialized knowledge that tends to be involved in this kind of activity. Here, an outside service provider whose business it is to perform installation and configuration for, say, application shielding solutions isn’t going to struggle with a lack of knowledge or experience. In this way, they can help you avoid pitfalls that you might not have even been aware of.
Last but not least, we get to dollars and cents. The somewhat tautological answer to “are managed cyber security services worth it?” is that they’re worth it if they can demonstrate cost saving abilities. This sentiment is more meaningful than it might seem: when selecting a vendor, the best choices will be the ones who can demonstrate a clear set of cost savings, e.g. by enabling you to cut WAF spending out of your budget, to decrease resources devoted to bug fixes, etc. Everyone wants better security at a better price, and the right MCSP might be your best chance of making that happen.
Learn More About Intertec’s Managed Cyber Security Services
Intertec provides cutting-edge managed cyber security services based on sophisticated application shielding technology—helping global businesses to cut down on code remediation costs while preventing data breaches. Click here to learn more. Prefer a personal consultation? Go ahead and schedule a meeting with us here!