In Asia and many other parts of the world, Small and medium-sized enterprises (SMEs) are one of the key drivers of local economies. Yet, they face a tremendous task when it comes to cybersecurity.
The typical SME tends to have limited resources to spare on shoring up cybersecurity postures; leaving them vulnerable to cyber-attacks.
Go back say 20 years and the concept of outsourcing cybersecurity would have been laughable. Back then all one really needed was a robust firewall and you were good to go.
The cyber threat landscape of today is an entirely different beast. The number of appliances and applications a business needs today is a confusing laundry list of items: distributed denial of service protection, web application firewalls, intrusion detection, encryption, security information and event management, network analyzers and so on and so forth.
It can be overwhelming for any firm, let alone one with limited resources and manpower. For many organizations, outsourcing could be the way to go. Frost & Sullivan believes that over the next few years the demand for managed security services in Asia Pacific will increase. Let us examine the advantages:
Managed security service providers (MSSPs) usually provide round the clock cybersecurity reporting in real time. Working with an MSSP can help alleviate worries over network protection, knowing their networks are being watched constantly. However, before signing up with an MSSP one should always check to ensure that service level agreements (SLAs) are well-defined to ensure exact needs are met.
Access to Talent
It is a well-known fact across Asia Pacific that IT security talents are in short supply. Hiring for an in-house team is a challenge, especially when pay packets are considered as well. Leveraging an MSSP provides access to a team of security specialists when required.
Furthermore, they are likely to be constantly refreshing their knowledge and actively tracking new threats since their jobs revolve around it. Whereas in-house teams generally have multiple roles and responsibilities which can hinder efforts to stay on top of threats.
Perhaps one of the most compelling reasons to outsource is the cost savings one stands to make from engaging an MSSP. As providers are able to distribute costs for analysis, applications, and appliances, as well as facilities across multiple customers, the fees tend to fall on spectrum towards the “reasonable” side.
Ultimately, employing a number of IT professionals and purchasing the required software and hardware can be too much of a financial burden for many organizations. With these factors covered by MSSPs, it is definite that one could make potential savings through engagement.
Whilst there are several benefits to outsourcing, for it to be effective one must also be aware of the pitfalls that can come along with it.
One of which is the tendency to believe that hiring an MSSP equates to eliminating security costs. The truth is they do not. Firms will still have to ensure an in-house Chief Information Security Officer is kept on staff and is accountable for the security of the organization. Your CISO will be the individual who manages and coordinates with the MSSP. The MSSP is not meant to be a full replacement for an in-house team, rather it serves to bolster it.
The in-house CISO will also be responsible for vetting various MSSPs and for working with them to determine the best approach. There is no uniform approach to working with an MSSP and organizations will have to discuss requirements and remediation steps in advance. Developing a set of standards, roles and responsibilities will mitigate unexpected situations.
Another hurdle to cross is access to sensitive data. Most firms are reluctant to allow outsiders to handle sensitive data, this reinforces the need for a detailed SLA to ensure confidentiality.
Once you have onboarded an MSSP, it is important to ensure a working relationship is nurtured with meaningful communication to ensure needs are consistently addressed.
Holding regular meetings that discuss the review of transferred responsibilities, the controls used for mitigation and key metrics will ensure everyone remains on the same page.
Ultimately occasions may arise where undesirable outcomes occur. These instances must be discussed in a professional manner, to avoid a deteriorating working relationship. Should this step be neglected things often get worse rather than better.
As demand for MSSPs rise organizations must recognize that they are not simply removing their worries entirely. Getting the best value from outsourcing security requires that organizations do their part to maintain the relationship through, clear communication, proper documentation, and reasonable terms.