Manage Security Services (MSS) are sometimes being wrongfully reduced to the role of one company IT security outsourced to an external provider. Actually, it has always been far more multifaceted than this simple vision, and it is essential that managed security providers (MSSPs) collaborate more with their clients as the digital transformation of business is bringing significant changes ahead.
As a matter of fact, the “one size fits almost all” era is progressively fading away due to the growing complexity of architectures to protect and cyberattacks on the rise. Petya incurred $300 million to Maersk in 2017, WannaCry almost £92 Million to the NHS and recently a US healthcare billing company American Medical Collection Agency (AMCA) filed for bankruptcy due to a data breach affecting more than 7 million users last year. Initially, MSS focused on centralized network infrastructures with servers, desktops, and traditional devices. However, the cloudification of operations and support has brought a vertical dimension into the picture. This implies for MSSPs to cover a new and wider scope with additional security vulnerabilities to deal with; if it means more business opportunities, it also requires strong internal investments for a ready and fit- for- purpose product portfolio.
The cloudification is also bringing more confusion on defined roles and respective responsibilities between cloud providers, MSSPs and costumers, with potentially a significant legal and financial impact for those who are not reading each Terms and Conditions of engagement contract carefully. It can be simple actions, such as ensuring regular data storage and back-ups frequently (hourly/daily/monthly) for information security; this task is generally to be done by the end-user, but these quite often wrongly assume cloud providers or MSS will perform it. As the networks get bigger and interconnected, understanding who is in charge and expected duties are becoming cumbersome. Clear definitions and tasks are essential. The technology is also evolving faster than enterprise culture and assumptions can become easily incorrect, similarly with simple employee mistakes.
"Security will always drastically benefit from a robust security culture, basic information security awareness and code of ethics"
The cloud and its inherent security concerns are not only bringing new competitors into the market place with specific product lines intended for cloud security, such as the Cloud Access Security Brokers (CASB) like Bitglass or Forcepoint, but also new business models with the promise of more scalability and savings depending on use cases and bespoke requirements. The Software as a Service (SaaS) is slowly changing traditional patterns. There is a shift in perception, where the customers initial focus on complete security solutions- often being underused but costly- is now on Security as a Service and consumers are only willing to pay for what being used. These new approaches are not only forcing traditional MSSPs to review their product line, but also to align on deliveries approaches and get closer to end-user requirements on what is making financially most of the sense for them (per user or per devices, on monthly or yearly subscription etc.). It does not mean that traditional business models (Licensing) will disappear anytime soon, but market evolution dictates to increase solutions flexibility to retain clients and attract new ones. In the meantime, vertical integration of cloud security services companies are witnessed (MSSPs leaders such as McAfee who acquired Skyhigh Networks in 2018) to consolidate market expertise.
However, the cloud is not the main market disruptor in the manage security services ecosystem: the years to come are adding even more challenges as new industry participants in Machine Learning or Blockchain are gaining increasing traction from key MSSPs clients. Technology maturity is still debatable, especially at a security level, and sometime it is not fit for enterprise purpose, but impressive progresses are being noticed year after year (e.g. Sophos, Dartrace, VectraAI, Senseon). Whilst the competition is becoming fierce, the operating environment is also adding a new layer of complexity: it starts with end point security and finishes with the multitude of Internet of Things (IoT) devices. The new overall architecture, data and infrastructure management is the next challenge for MSSPs since there is a critical lack of security.Moreover, IoT is bringing a convergence between physical and virtual security. What will this mean for traditional MSSPs clients? Will they adopt patchy solutions to ensure a minimal security level? Will they follow technology evangelists and security unicorns to get more bespoke and high tech solutions? Or will they go for the Big Four who offer an end-to-end IoT security solution such as Microsoft?
However, no matter how smart and performant new security solutions are being developed and cost-efficiently provided to the client, the main factor to consider at all time is to keep the human in the loop. Security will always drastically benefit from a robust security culture, basic information security awareness and code of ethics.