Recently a Chief Information Security Officer (CISO) from a mid-sized online retail company told IDC analysts why he sought out a managed security services provider (MSSP) five years ago. The obvious reason at the time, he said, was that he wanted to move his expenses from a capital expense to an operational one. But he knew this wouldn’t happen overnight because he’d already invested in many network security devices in the prior 12-18 months.
But the deeper, underlying reason he decided to seek out a relationship with an MSSP was the need to free up IT resources for other more innovative projects that would help the company increase revenue and crush the competition.
Today, this CISO — we’ll call him Bob — outsources the majority of his security infrastructure to a service provider that he has grown with over the last five years. As part of this engagement the MSSP has placed several full-time staff members on premise at Bob’s facilities.
“This gives me access to a broader skill set to support my security environment and frees up my IT staff for other projects,” he explained. “The MSSP manages my devices and also uses a lot of state-of-the-art technologies that I wouldn’t have been able to afford. By rotating staff through our facilities and utilizing the analysts in their security operations center (SOC), there is a constant refresh of skills and much less burnout than I was seeing when handling this in house.
“And, finally this set up is costing me about a third less than buying all the latest gear and staffing up my team for the day-to-day monitoring and management of the security infrastructure. Over time, I’ve retired devices and gone with more multi-tenant software and appliances. But this didn’t happen overnight. You have to build a trusted relationship over time,” says Bob.
“Develop the relationship one step at a time and make sure you know the MSSPs expertise. You can’t accelerate from zero to sixty right out of the gate, in my opinion. There is simply too much at stake,” he finished.
As we’ve seen with Bob’s story, many things keep CISOs up at night. Naturally, the security of their data is a primary concern. But increasingly, they worry about the bottom line of the business. Today’s CISO is more and more a boardroom player who is tasked with driving business innovation and reducing capital expense, all while keeping abreast of the latest threats — which aren’t the garden variety they once were. IDC is seeing more and more savvy CISOs looking to a trusted service advisor to help them assess the security landscape, make recommendations on security posture, and often to assist with the management and monitoring of the security environment.
Managed Security Services (MSS) can help to free up badly needed IT resources and can reduce capital expense by transferring a budget line item to a predictable operational expense with a regular cadence in the budget cycle. In addition, the MSSP helps provide scalable security capability, provides enhanced analytics, data consolidation, global threat intelligence, and knowledge of APTs and other adaptive, complex and dynamic threats.
Also, many MSSPs have research labs that can continually monitor and analyze new threats as they become more prevalent and offer compliance solutions to manage regulatory mandates and prepare for audits. For larger enterprises with geographically dispersed locations — either nationally or globally — the scale of an MSSP can provide more extensive capability. Further, the large number of customers an MSSP supports gives them visibility into a large variety of threats on a global basis.
As you consider engaging security services, make sure to look for a provider that has worked with companies like yours and understands the concerns you have. Read more about managed security services and the dynamic threat landscape in the IDC Market Spotlight, “Managed Security Services: Benefits and Future Evolution.”
Christina Richmond is the Program Director of Infrastructure Security Services at IDC. She has written this guest post for the Networking Exchange Blog.