Outsourcing Security Monitoring
Editor's Note: This is the final installment of a four-part series.
In the three blog articles I have posted so far, we reported on findings from a recent survey to understand security professionals' perception of the threat environment, the loss associated with cyber attacks, and the challenges organizations are facing in handling cyber security. In this final installment, we’ll look at the use of outsourcing to help solve security challenges.
When you combine the real loss associated with cyber attacks with the current economic downturn—and the pressure to save money—it makes sense that 61 percent of U.S. organizations are either currently utilizing or evaluating MSSPs to help handle their IT security. The security pros we talked with were turning to outsourcing for the following four reasons: to provide 24x7 coverage (55 percent), to access security expertise (48 percent), and lower overall costs (46 percent). Interestingly, European organizations turn to outsourcing more than their U.S. counterparts (77 percent versus 61 percent).
Of course, outsourcing makes a lot of sense with some functions, such as security monitoring, and no sense with others (such as developing a security strategy, policy, or controls). Our survey showed that when asked which functions they were considering outsourcing, most respondents were looking into security monitoring (53 percent), security management (52 percent), and identity and access management (54 percent). Interestingly, 31 percent of respondents stated that they were looking into full IT outsourcing as a part of their security outsourcing initiatives, suggesting that the challenges associated with managing IT in-house may not only be limited to security.
As someone who has been deeply involved in security monitoring and management and running an MSSP for the last several years, my perspective is that an outsourcing decision can’t be made without completing a traditional risk assessment. By having a clear understanding of your organization’s critical assets, the threat and vulnerabilities, you can make classic risk management decisions to accept, mitigate, eliminate, or transfer the risk. For some organizations, choosing an MSSP to mitigate many security risks can be a very effective decision, both in terms of cost and value.