Wait, you want my keys? You'll just watch my house? I'm okay with that!
From my last post you know I previously worked for a MSSP, but I've been on the other side working with them as well. Furthermore I've staffed and cultivated analysts working inside MSSPs, created Incident Response systems and developed Metrics (fun, fun fun!) to manage the health of MSSP businesses. Participating on both sides I've seen the needs of the MSSP and the needs of the businesses they serve both fluctuate wildly.
Note: Whenever MSSPs are discussed acronyms usually start flying. I've defined them at the end of the page for reference.
Managed Security Services Providers, or MSSPs, come in all sizes and specialties: Some have names you've probably heard of like AT&T (yep, they do more than drop calls), others you'll never know of unless you are looking for Managed Security Services. The variety of services offered run from basic security consulting to a full outsourced SOC. No matter the type of MSSP, the fundamental concept is this: You are asking someone else to assume risk you are unprepared for or unwilling to accept. Currently, MSSPs are benefiting greatly from this transference. The last few years saw a great deal of M&A related to MSSPs. Just to name a few:
IBM → ISS , Verizon → Terremark , Dell → SecureWorks , NTT → Solutionary , Deloitte → Vigilant
This M&A fervor is a sure sign the market is past the emerging stage and onto the growth stage. I expect to see even more activity this year. Not that I need an excuse to make a graph, but I've compiled the revenue figures I could locate to show this uptake visually:
Sources: Frost and Sullivan, Gartner, Forrester, IDC, and Yankee Group
The roads managed security service providers are traveling were not always paved with profits. Quite a few went extinct before it became acceptable to outsource your security needs. While I feel remorse for those that were ahead of their time, I'm far more curious about the reasons they were unable to change perceptions or obtain a sufficient customer base for profitability. I believe there were several reasons for this shift in acceptance. Let's go back in time a bit and explore how we went from anathema to acceptance.
So it's 2005
A couple of guys are sitting in the parking lot of TJMaxx cracking WEP. Innocent geek fun? Not really. Fast forward a couple of years and TJMaxx publicly admits to, at that time, the largest financial breach in history. There were certainly other breaches prior, people even make awesome visualizations of it. Most of the time these breaches were just embarrassing. You would get hacked, your site gets tagged or its visitors redirected, but nothing of value was usually taken. Until TJMaxx, the biggest coup was stealing a lot of email addresses. While email addresses have value to those wanting to peddle "enhancement" pills, to the average person it's just an inconvenience of mouse clicks. Expose someone's credit card number? Wait just a minute... Now you have the theft of something with value that is universally understood.
I assert that this breach was the beachhead for the public acceptance campaign MSSPs needed. Now the idea of a third party seemed a necessity when that initial trust the company had was broken. Not only did this bring awareness to the public, it also spread the fear within other companies who began to think "Could this happen to me too?". Today data breaches are a bit too common any more so and it won't be just the retail industry with Loss Prevention units.
Ever use Gmail?
While the way-back machine is out of the garage, let's examine another aspect. Back in those days companies used to have their own servers in their own data center in their own office. Crazy, right? Flash forward to today and odds are you are outsourcing something to the cloud. Though I prefer infographics and even if you just like plain ol' text, the message is the same: everyone is doing it. When using cloud services not only is the server not in your office neither is your data. That creates brand new security challenges for both you and the cloud provider. However these challenges are overridden by the convenience and cost savings that the cloud and outsourcing offer.
Clearly the adoption rate of cloud services indicates people are willing to accept the risks. With Gmail celebrating its tenth anniversary this year there is proof that this crazy concept of data non-ownership is here to stay.
Wait this costs money?
Another resistance to the idea of hiring a MSSP is the obvious one: Money. This is where it gets interesting from the MSSP perspective. Security just has not behaved like normal IT markets, especially when it comes to scaling. Let's examine factors why:
- Security is far too dynamic for someone to survive as a generalist; stay out of the game too long (a month?) and you become a historian. This puts an extreme amount of pressure on someone to choose a security discipline and persevere at it.
- The Attack Surface of your average company is immense and continues to grow.
- Information Security Protection has not reached and likely will never reach an economy of scale. While vendors like AlienVault and the USM platform have found ways to reach scale from a product perspective, the human capital side is simply fixed.
While InfoSec hasn't reached economies of scale, MSSPs certainly are realizing the economies of scope. The MSSP has the advantage as it is far more efficient to scale a single discipline across many customers than it is for a single customer to scale its staffing to match the capabilities of a MSSP. These factors have caused a dramatic swing from "I can't afford to pay a MSSP" to "I can't afford my security needs".
There are also accounting advantages to using a MSSP. Marie Alner does an excellent job summarizing this:
The primary motive for considering outsourcing is cost reduction. Long-term outsourcing contracts convert variable costs to fixed costs, and make technology spending more predictable. The tax advantage comes from the ability to deduct the expense of outsourcing fees from current year earnings as opposed to depreciating an internal data processing department's hardware assets over time. Outsourcing agreements can yield capital for cashstrapped organizations if the outsourcer purchases the client's hardware assets. In addition,companies who outsource enjoy cash flow improvements resulting from the transfer of software licenses and personnel to the outsourcer, and the release of obligation from a facility lease and the associated physical plant maintenance costs of a data center.
What do you mean your business isn't reverse engineering malware?
I'd be remiss if I didn't discuss the core competency concept. I'm going to go out on a limb here and posit that your company doesn't produce IDS signatures, doesn't operate a test lab for malware research, or perform code review of the software running on your network. If your reply was "Yes I do!" then either you've been privileged with a wondrous budget or you're a MSSP. For the rest of us that make widgets and thingamajigs using a MSSP is simply practical. A MSSP should have the same mission you do: create the best product or service possible. So keep making the best widgets you can and let the MSSP worry about Zeus, BlackPOS or whatever the current threat is.
Cost of Liability
Let's not forget that IT Security is just another layer on top of the business principle of Risk Management. If you can limit or transfer liability to another.... Now don't go thinking that MSSPs are glorified insurance policies; they know how to write contracts just as well as any industry. Besides actual breach insurance is a new industry too and who do you think is guiding them? But pecuniary liability isn't the only form to worry about. How long until "Target" and "breach" stop getting used in the same sentence? The liability of misperception, mistrust, and misguidance can be long lasting; far longer than the charge on the balance sheet.
Currently, this wave of acceptance around the idea of outsourcing security to a MSSP is the result of many peaking trends. The combination of awareness, prudent financial thinking and the pervasiveness of cloud services is putting MSSPs in the driver seat. Companies of all sizes now have access to specialists in a field that simply requires specialization. Remember, like every service provider, some are better than others. Finding one that is right for you starts with an understanding of what your needs are. That though is a whole other topic. So toss your keys to the MSSP, let them watch your house and help you keep your valuables safe while you keep focus on your business.