By all accounts, the managed cyber security services market is growing at a rapid clip—with projections showing the market at nearly $50 billion by 2023. On the one hand, this shouldn’t be too shocking: cyber attacks get more sophisticated, frequent, and costly by the year, and even some businesses with existing security operations are likely to need help in stemming the tide. On the other hand, managed services of any kind can have organizational and operational consequences for SMBs, and it’s easy to wonder whether the companies that employ these MCSPs are, by and large, approaching them with the right mindset.
Like we said, cyber crime is getting more and more difficult to fight off. At the same time, the rift between security operations and development operations seems to be widening all the time. The result is that security comes to pose challenges not merely from the perspective of stopping intrusions and preventing cyber attacks (though the ability to do so is obviously mission critical for most businesses), but from a broader perspective of integration. If your security operations center is seen as being at odds with other goals (e.g. speedy time-to-market), you’ll end up with siloized security operations that can’t affect high engagement rates for security best practices and solutions.
In situations like this, you can easily see an uptick in, say, successful phishing scams or DDoS attacks. You can also see disruptions in time-to-market, and other disruptions that arise when development projects aren’t considered from a security perspective until late in the lifecycle. The result is that your code or app isn’t just less secure, it’s potentially worse from a quality or UX perspective as well. In this way, we can think of smaller-scale security challenges—like choosing the right solution or service, enforcing best practices in a useful way, keeping on top of your threat model even as it changes, etc.—to be subsets of the larger hurdle involved in creating a holistic strategy that successfully integrates security.
Based on the hurdles we outlined above, it shouldn’t be too hard to see why MCSPs represent a growing sector of the economy. Indeed, there are more than a handful of reasons that SMBs are turning to them to help address existing security concerns.
Of course, if you’re a CIO you probably can’t take all of these potential reasons at face value. Why? Because on some level you have to worry about maintaining control over your own fate. If you outsource something as critical as security without knowing what you’re getting into, what to expect, and how to integrate your MCSP’s efforts into your own larger initiatives, you’re setting yourself up for potential disasters.
So, what should you expect out of MCSP? Again, this isn’t just a matter of making sure that you’re choosing the right provider (though that’s also important), it’s a matter of knowing what your engagement is likely to entail, so that you can create a cyber security paradigm that works for your business.
First and foremost, most MCSPs will offer some sort of protection for your digital perimeter, including any web apps that you might own—in other words, anything that a hacker could reasonably attack. Often, this will take the form of a WAF, or web application firewall. These are difficult to install, configure, and maintain, which means that it’s probably in your best interest for them to be the province of your managed services partner. At the same time, you may be better off holding out for a provider who uses something less prone to slowing down web traffic. Application shielding technology, for instance, can perform a more robust version of what a WAF does (i.e. making on-the-fly rules for HTTPS traffic in order to cover known security flaws and vulnerability), but in such a way as to actually speed up web traffic through compression. If this kind of technology gives your MCSP the ability to cover all of your known vulnerabilities from day one, you can approach the bug remediation gap in a more strategic way.
Studies have found that many in-house security teams wind up with alert fatigue, in which they receive security alerts and simply don’t act on them—either because there’s not enough information to work with in the alerts or there are too many false positives. As a result, real security intrusions can slip through the cracks without provoking a response. A managed cyber security service should obviously not let that happen. As such, depending on your engagement model, they may be working to make sure that only security flaws that require real remediation attention reach your desk. Conversely, they may have a flexible reporting model that lets you specify how much information you want from their monitoring services. This puts you in a position to ask yourself how you would like security operations to be integrated into your workflows—based on the answer, you can determine what the most helpful reporting and monitoring options would be, as well as a road map for how your teams will incorporate that information into existing workflows.
Like we said above, it’s your job to figure out how your teams will act upon the info that they get from your MCSP’s monitoring and reporting. If your goal is to redefine the relationship between DevOps and SecOps, or between QA and security, this is your chance to lay important groundwork. When it comes to transforming your own internal security operations, getting some of the urgent, time-consuming work that comes with crisis management off the plates of your engineers can help you give them the time they need to actually create alignment with DevOps. At the same time, since a security incident could easily impact the safety of your corporate data, you may not want to be entirely hands-off in the response process. Ask yourself, how much control over a cyber security crisis are you really willing to give up? Once you have a comfort level established, your MCSP should be able to work with you to put response plans in place that meet your needs. Crucially, these responses won’t be limited to convenient business hours (as they might be if you were managing things internally), since the hackers themselves will often be operating outside the normal time frame in which your engineers might work.
Again, the best practices for good data security continue to be a moving target, and even businesses with existing SOPs can have trouble staying on top of things. This is an area where you should expect your managed service provider to offer expertise and capabilities that are much more reliable than most in-house teams. Why? Because their entire raison d’etre is security, and it would be a sad state of affairs if they didn’t know about each new vulnerability that became known, every potential security flaw in a given cloud-based application, and every security tradeoff involved in the configuration of a particular piece of software. Sure, application shielding can put you in a position to keep legacy apps running much longer than it would otherwise be safe to do so, but you’ll also want ongoing guidance about when and how to replace your existing security infrastructure. For the elements of security infrastructure that your MCSP has full control over (you might not ever touch the settings of an application shield, for instance), you’ll need to operate with full confidence that they’re getting the TLC and updates that it needs.
Again, you should anticipate an ongoing dialog between your managed services and your own security operations—since new best practices that emerge will have to be integrated downstream in development projects. This is yet another area where your first job is to envision the role that you want security to play at your company going forward—is it all about stopping cyber attacks and closing business logic loopholes, or is there a more strategic bent to it? Are you only interested in preventing losses due to cyber crime, or are you seeking to add value by integrating security and quality?
Intertec provides cutting-edge managed cyber security services based on sophisticated application shielding technology—helping global businesses to cut down on code remediation costs while preventing data breaches. Click here to learn more. Prefer a personal consultation? Go ahead and schedule a meeting with us here!