The National Crime Agency (NCA) has recently said that businesses and law enforcement agencies are losing the ‘cyber arms race’ with online criminals. It says that the technical capabilities of criminal gangs are outpacing the UK’s ability to deal with their threats.
As security professionals, it’s something we’re acutely aware of – it really is an arms race and it’s one that we will be fighting for years to come. The effective response, according to the NCA, is one of collaborative action from government, law enforcement, industry regulators and business leaders.
Whilst this is a laudable goal, the reality is that as well as collaborative efforts we also need to be providing businesses with the very best tools and services to protect themselves and allow collaboration to take place. It’s no easy feat and requires CISOs to bring to bear all their forces on the growing threat of breaches, advanced persistent threats and insider attacks. At the same time, the need for oversight from executive management and corporate boards has never been greater.
When security is a priority from the executive level down, the entire business becomes a collaborative environment, working responsibly – taking calculated risks, but only when it makes sense to do so. CEOs, CFOs, CIOs and other senior executive leaders who fail to take an active role in security put their organisation at risk.
To the CIO or CISO, risk management is a matter of some key elements: policies for influencing behaviour, technologies for controlling behaviour, and people to keep it all working. To the CEO, however, security needs one more important component: tireless diligence. That means ‘eyes on glass’ 24/7.
Opposing forces make 24/7 security difficult
The always on, 24/7 monitored enterprise is the dream but there are a number of factors preventing the dream from becoming a reality. One, there are too few skilled security professionals to hire. And two, advanced threats and critical risks are growing each day. Companies need both expertise and technology, but only those with the deepest pockets can afford to manage all threats internally.
For those without the deepest of pockets it leaves one of two options – deal with security on the budgets they have, which may cover the basics of technology and monitoring or, alternatively, look to a Managed Security Services Provider [MSSP].
A recent survey conducted by Forrester Consulting, on behalf of Masergy, found that some 78% of companies are partnering or plan to implement an MSSP to deal with the growing threat landscape. The findings of the Forrester research found that half of those surveyed are using MSSPs for 24/7 monitoring services and 40% are considering them for advanced threat detection and intelligence.
MSSPs are increasingly popular with cyber security teams because they fill in organisational gaps and free up resources. The findings of the research also discovered that those who are working with MSSPs not only find more security issues, they also help the organisation deal with those issues better.
In the survey, more than 55% of respondents working with MSSPs said their relationships give them better understandings of what to do next. Slightly more than half also said working with MSSPs improves their accuracy in detecting threats, while more than 40% of those working with MSSPs said they get faster escalations when issues are discovered.
It probably comes as no surprise that outsourcing aspects of security management to an MSSP augments constrained IT resources. When used effectively to supplement internal IT security teams, managed security can help departments take a strategic role as a consultative function within the company, rather than simply responding to various threats.
This, we believe, is key in gaining the upper hand in the cyber arms race. The consulting can come in the form of:
- Advising business units on how to weave security and responsible behaviours into all key business operations
- Establishing best practices
- Evaluating critical systems
Rather than investing more and more in advanced solutions and hiring the personnel to manage them, CISOs can turn the task over to a service provider, relieving the organisation of having to stay on top of a rapidly evolving threat landscape.
With MSSPs in place, the focus of CIOs and CISOs can be shifted towards the collaborative effort called for by the NCA. In reality, cyber crime and IT security is no longer a technical issue but a board-level responsibility. For businesses to be able to share intelligence with law enforcement, government and other businesses, they need the ability and capacity to do so – something that can be greatly improved with the use of third-party MSSPs.