Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Randy D’Souza of Neustar Security Services walks us through the shift from platforms to services, and maximizing the potential of Managed Service Providers.
As organizations respond to the accelerating pace of digital transformation, IT and security leaders are tasked with navigating an increasingly borderless world of work and commerce. The challenge of dealing with the associated cybersecurity concerns – of which there are many – has been compounded by a years-long industrywide staffing shortage and, more recently, a rising sense of economic uncertainty that is forcing many organizations to cut costs across all departments, including security.
Not surprisingly, InfoSec teams are increasingly turning to cloud-based solutions and managed service partners to meet growing flexibility and accessibility demands as cost-effectively as possible.
Managed Service Providers: Maximizing the Potential
Relieving Cost and Staffing Pressures
Service-based offerings provide many advantages, including allowing security leaders to relieve budget pressures by moving from a capital to an operational expenditure model in which they can easily scale up or phase out resources based on demand. For example, the purchase of any type of hardware needed to secure networks is a large capital expense, and often the technology does not actually reach the end of its full depreciation lifecycle. Add in the effort required to deploy patches, upgrades, and other essential firmware, and it’s easy to see why many leaders are looking to third-party services to protect their organizations in a more resource-efficient manner.
Staffing has also been a persistent challenge that services can help to alleviate. According to a 2022 report from (ISC)², the global cybersecurity workforce grew to encompass 4.7 million people– its highest-ever level. While it’s great news that the industry is prioritizing security professionals, the sector still needs over 3.4 million additional resources. This is an increase of over 26 percent from 2021’s numbers and a reversal of a trend from its 2021 study, which had shown the gap finally beginning to narrow between supply and demand. With the level of need now growing further out of reach, the war for talent rages on.
This poses a major challenge for security leaders, who are typically given a fixed budget to accomplish their goals. From that budget, they need to hire people who can manage multiple responsibilities, all radically different. And the reality is, the people who can proficiently do all those jobs are unicorns— they just don’t exist or are far too expensive, and most organizations can only afford a pony. In addition, technology proficiency is a perishable skill that atrophies if not used frequently. Unlike in-house security staff at all but the largest enterprises, service providers’ employees can concentrate on specific technologies and systems and develop deep expertise in them.
By relying on managed service providers that are staffed with top cybersecurity professionals who can serve as an extension of their team, InfoSec leaders can spend less time worrying about closing the personnel gap and more time focusing on mission-critical IT issues such as supporting workers and automating systems.
Supply Chain Attacks on the Rise
While it’s undoubtedly true that hardware and systems ownership often creates a false sense of security and makes CISO’s jobs more complicated, the shift to cloud-based solutions and service providers does bring some risk. By externalizing business operations and moving critical resources out of their immediate control, enterprises are making themselves more vulnerable to distributed denial-of-service attacks and other supply chain threats. A recent Neustar International Security Council study found that confidence in the supply chain ecosystem is waning, with many organizations reporting that they currently feel exposed through software or service providers. Three in four senior-level security decision-makers responding to the survey said they now consider supply chain risk a top priority. Given the interconnected nature of modern business, any industry can fall victim to supply chain threats. Prominent attacks like SolarWinds and pervasive vulnerabilities like Log4j have demonstrated that any trusted partner or on-prem software it uses are now a part of a company’s attack surface.
Mitigating Partner-Associated Risk
To be able to trust that their partners will not create new vulnerabilities in their environment, organizations need to engage in a few best practices:
- Implement more rigorous vetting. Businesses must increase the rigor of their due diligence processes for potential new partners— and even existing partners before re-signing. The InfoSec team can use a standardized questionnaire (updated annually) to help determine whether a partner’s security priorities and practices are in alignment. Depending on the type of partner relationship (high-risk and critical suppliers should be prioritized), measures could range from auditing the partner’s supply chain practices to working with a company that monitors vendors’ reputations in the market.
- Hold partners accountable. Security requirements must be part of software and service provider partners’ contractual obligations, with companies stipulating that partners maintain security standards that are at least as stringent as their own, and ideally granting audit rights to inspect their controls periodically.
- Actively test and scan. Of course, organizations still have their own responsibility to vet the solutions they use. Every business should actively perform vulnerability scanning on all systems to the best of their ability; test incident response processes; and, when possible, engage third-party penetration companies to verify defenses.
Final Thoughts on Managed Service Providers
Organizations’ growing reliance on software-as-a-service (SaaS) providers, and closer integration with the providers that deliver them, has increased the risk of business disruption due to supply chain attacks. But we can’t un-ring the third-party provider bell— nor should organizations want to. The shift to services has enabled companies to do much more with less, not only in terms of the overall digital transformation process and the opportunities for new efficiencies and new business models it brings, but even in terms of cybersecurity more specifically. Considering the constant changes in and growing complexity of both the threat landscape and the InfoSec solutions environment, having the ability to reduce capital costs, ease hiring headaches, and embrace the greater flexibility and specialized expertise they offer makes the opportunity to shift to a service-based model too good for most security leaders to pass up. But any transition must be done carefully and deliberately, and appropriate partner due diligence must be part of the equation.
- How to Maximize the Potential of Managed Service Providers - March 22, 2023
- Reevaluating DDoS Protection in a Changing Threat Landscape - September 9, 2022