LATEST THINKING

Leave security to the experts: Why a managed security service makes strong business and financial sense

The evolution from It’s too important to leave it to chance never have seen before. The drive to to or to under-resourced internal teams. go digital added to an evolving threat managed services The reputational, financial and regulatory landscape, an increasingly regulated repercussions of getting it wrong are too workplace and a multi-vendor security From as far back as the 1980s, damaging for businesses to contemplate, environment means updating and organizations have been trying to improve and it’s more than just outsourcing a maintaining a complex and sprawling competitive advantage by focusing on commoditized service. It’s a function security architecture. And that’s leading their core business while identifying that is being increasingly outsourced many organizations to revisit their processes that could be outsourced to specialist managed security service security requirements in order to create to third parties. Initially these were providers who offer a ‘management’ an environment that’s secure, while also processes that, while essential, were not service rather than a ‘deployment’ option. allowing them to evolve and develop their associated with the core business - a And a successful service relies on a core business. printer outsourcing fulfilment services partnership between the client and for example. The general feeling back the provider. Outsourcing makes then was that the less important services This paper looks at why outsourcing financial sense could be outsourced, but it made better cybersecurity management is on the rise business sense to hold onto essential With a new approach to cybersecurity and what you need to consider when core competencies. That all changed in required, one question that all selecting a service provider. 1989 when Eastman Kodak decided to organizations need to ask themselves is whether their IT department can outsource the technology systems that Digital transformation underpinned its business. For the first reliably and cost effectively manage all time, a core function was outsourced security challenges cybersecurity related priorities in house. precisely because it was so important. These are challenging times for security Or would it be more effective to outsource security to a specialist Managed Security Today, cybersecurity is a core business professionals and as organizations become more digitally enabled, IT teams Service Provider (MSSP) and move function that is increasingly outsourced towards a more predictable operating to experts, for the same reason. are facing security challenges they may

hello.global.ntt latest thinking | Leave security to the experts

expenditure model? Cost is always a of unfilled cybersecurity jobs globally will consideration for IT and procurement rise to 1.8 million by 2022, a 20% increase teams and a common misconception is from 2015 estimates. The same survey The General Data that engaging with an MSSP would be of 19,000 cybersecurity professionals Protection Regulation more expensive than hiring your own staff worldwide, found 66% of survey to manage security. respondents (up from 62% in 2015) feel (GDPR), for example, they do not have enough employees to allows for steep A managed security address increasing levels of threat. service provider (MSSP) For now, that leaves a widening gap in the penalties of up to provides outsourced monitoring and number of IT security experts needed to management of security devices and manage a greater number of threats. And EUR 20 million or systems. MSSPs use high-availability security sprawl is adding to the challenge 4% of global annual security operation centers (either globally – with a growing number of from their own facilities or from other security technology products and an turnover, whichever data center providers) to provide increasing number of security vendors 24/7 services designed to reduce to manage. is higher, for non- the number of operational security personnel an enterprise needs to Engaging with an MSSP means that compliance. hire, train and retain to maintain an organizations have immediate access acceptable security posture. to experienced, trained cybersecurity Furthermore, reputational damage as a Gartner IT Glossary: What is an professionals without making the result of regulatory non-compliance can MSSP? considerable investment in hiring, damage both your brand and your training, paying, and retaining an in-house bottom line. In fact, research by NTT Security¹ team. This allows the business to free up Understanding your compliance highlights that 33% of organizations with internal resources to concentrate on IT obligations, effectively filling compliance no plans to use an MSSP cite cost as the strategy and planning, leaving the MSSP gaps and streamlining audits is essential reason. Yet, 23% of organizations that to provide continuous security monitoring to avoid huge fines and a good MSSP can do plan to use an MSSP believe that it’s 24 hours a day. help with this. cheaper to outsource. It’s rarely the case The research results from NTT Security’s that MSSP costs will be higher than your Risk: Value 2018 Report support this too Timely threat intelligence own resourcing and operating overheads. - with 20% of organizations citing a lack An MSSP will share its resources across Threat intelligence can play a crucial of internal resources or a lack of internal role in protecting a company’s assets more than one client and agree a service skills (18%) as a reason for planning level with each. Hiring your own team and staying one step ahead of potential to use a third-party managed security losses, providing companies with is less flexible, with fixed salary costs services provider. and overheads to consider, and the onus actionable information that they can use to detect and respond to emerging is on your organization to fully utilize Governance, risk management the team. It’s also the case that a good and evolving security threats. A recent and compliance 3 MSSP will have extensive knowledge and Ponemon report highlighted that 84% professional relationships with security Regulatory change is happening on an of organizations indicated threat solutions vendors; relationships that they unprecedented scale and managing intelligence is ‘essential to a strong will leverage on your behalf as part of compliance is a complex, time security posture’. Yet, many organizations your service agreement. The NTT Security consuming, and evolving challenge struggle with an overwhelming amount research shows that 29% of organizations for organizations in all sectors around of threat data and lack of staff expertise, planning to use an MSSP would do so to the world. Some sectors have which diminish the effectiveness of their gain access to better technology, and 16% more compliance challenges than threat intelligence programs. An under of people need others, particularly financial services resourced IT team, while understanding help with cloud migration and and healthcare, but whichever sector the value of threat intelligence and early digital transformation. you operate in, there will be compliance threat detection, will be swamped by the issues to manage. Non-compliance can volume of threat data. An MSSP with Do you have the requisite cost a company dearly. a dedicated cybersecurity team is in a security skills in house? better position to provide timely threat intelligence, faster threat detection and A global lack of cybersecurity skills has a prompt response to attacks as they been well documented in recent years. happen. And with some MSSPs operating According to a global survey², the number globally and specializing only in security,

1NTT Security Risk: Value 2018 Report 2The 2017 (ISC)2 Global Workforce Study, Frost & Sullivan 3The Second Annual Ponemon Study - The Value of Threat Intelligence hello.global.ntt latest thinking | Leave security to the experts

their focus on monitoring the global • Global reach - Global MSSPs should be threat landscape is significantly more on your short list from an evaluation Benefits of a relationship effective than that of an internal IT team perspective. They see more current with an MSSP with myriad priorities. and advanced threats and will be in a position to respond quickly when your Lower costs – staffing your own Selecting a managed business is threatened. security team for 24/7 security service partner • Technology - MSSPs rely on either coverage is expensive, as is proprietary or third-party technology continuously hiring, training and For those organizations that come to the to examine device logs. Consider retaining new staff. conclusion that some security services service providers that have purpose- Coverage – monitoring your own would be better outsourced, the next built technology for managed security networks round the clock, 365 days services with advanced analytics to question is what do you outsource - a year can be cost prohibitive. detect sophisticated threats. and who do you choose to provide that Hiring experts – there’s a global managed service? • Remote and on-site support - does the shortage of cyber skills. With MSSP offer both? While remote support There are a number of MSSPs to choose helps resolve small issues quickly, an MSSP you’re hiring a team of from in this fast-growing space, but it’s there’s no replacement for security experts with access to the worth remembering that you’re looking in-person contact with your latest thinking, for a long-term partnership here. You’re IT professionals. up-to-date technologies, and industry expertise. not outsourcing a mailing fulfilment, but • Customer experience - check a business-critical function, and you’ll that the MSSP can tailor its service to Shared experiences – an MSSP will need an organization that works as an the specific needs of your draw intelligence from its wide extension of your own team. organization rather than offer a one- customer base, so you will benefit size-fits-all approach to managed from the breadth of its reach. As part of your decision-making process, security services. Security focus – if security isn’t establish a few ground rules and ask • Cost efficiency - can the MSSP provide your focus it can be a distraction some detailed questions before you make a flexible solution to align with any and a drain on resources. Focus on your choice: budget constraints? what makes • Security expertise - does the • Experience - there are many you money and leave security in the MSSP have the domain and security newcomers to the MSS space. hands of experts. expertise needed for your specific Established providers have gained Threat intelligence – huge data environment? With today’s global lack years of experience, refining their of cyber skills, be sure that you are technology and processes along volumes will overwhelm you employing a partner with access to the the way. An MSSP will provide timely and brightest talent. actionable threat intelligence, accurate threat detection and a prompt response to attacks as they happen. Global reach – an MSSP with operations across the globe will have access to global security operations centers (SOCs) and visibility to an extensive threat landscape that would be impossible for you to replicate.

Disclaimer: The work described in this thought leadership was performed while the company was known as NTT Security. hello.global.ntt