AUGMENTED SERVICE PROVIDERS: A POTENTIAL NEW PARADIGM FOR MSP’s?
Recruiting and more importantly keeping cyber security professionals is becoming one of the biggest challenge’s organizations face today in their cybersecurity strategy. According to the website Cyberseek.com there are 714,548 thousand job openings in the cyber security space with a total job pool of 1,806,123 total jobs.?
This means that almost 40% of the jobs available in cybersecurity are vacant. Two of the biggest gaps in the workforce, according to cyberseek.com are in provisioning (deployment) and operations/maintenance.?With the cyber security spend on the rise due to stricter legal and cyber insurance requirements, often organizations will purchase products simply to check off a box on an application, be it insurance or governance.?
Sadly, this approach does little to help organizations improve their security posture in an ever-dangerous cyber world.?Tools are being purchased without getting the full utilization capabilities due to lack of knowledge, lack of training and/or lack of skilled operators.
There has been some relief with semi-automated machine learning tools that can remediate potential threats, but with most professionals not quite ready to let “SKYNET” take control of their environment, todays tool filled workforce is suffering from too many tools with not enough people or knowledge.?This trend has been an industry concern for many years as more vendors cram into the space.
MANAGED SERVICES CAN BE A HARD PILL TO SWALLOW
When I started in the industry over 20 years ago, typically there was a single “computer guy” (sorry ladies) at most organizations that did everything from fix laptops to plug in the network equipment to select vendors.?
I’ve personally been selling managed security services for over two decades. Along with CheckPoint, the company I worked for hooked up the first ever commercial IPSEC tunnel between disparate firewall vendors. This project was for Ford Motor Company to connect its supply chain (since back then you could only connect devices from the same manufacturer IPSEC was bleeding edge).
Managed services were commonplace for this new and emerging technology that most administrators didn’t understand or have time to manage. As things became easier and more interoperable, companies shied away from managed services often due to cost but more often to have fast and complete control over their infrastructure.?Managed services became relegated to a small segment of the customer base who outsourced their critical security needs.
While most companies no longer utilize managed services, there has been a steady growing segment of companies that leverage the expertise and availability of Managed Secure Operations Centers, Managed EDR, Managed XDR etc...to handle some of their most critical duties in the security space. Sadly, however, this is the exception more than the rule for many organizations.
With the above-mentioned lack of security expertise, it is a wonder why more people aren’t taking advantage of managed security in the organization. I believe it is for a variety of reasons:
·??????Lack of Flexibility
·??????Disparate Systems
·??????Perceived Cost
·??????Poor Planning
Many times, managed service providers lack the ability to tune their offerings to the customer’s needs. Offering a canned list of check boxes, this “one size fits all” approach often leaves customers paying for services that they prefer to do themselves or simply do not want or need for their organization.
In addition to the above-mentioned inability to handle tasks flexibly, organizations are charged for things they don’t use or need, lessening the value for fully managed operations.
Add to that, service providers typically only handle a small number of security vendors. This limits the ability of the MSP to effectively handle the tools, further limiting the effectiveness of using a fully managed service.
领英推荐
There is also a perception of cost associated with a managed service, since it can get quite expensive yet still not provide the complete set of services that a customer might require.?The cost can be excessive for many companies who are constantly justifying expenses in a down economy. Contracts typically last 1-3 years, while the needs matrix often changes monthly as key team members leave the organization or shift focus. This state of flux creates gaps in the security posture that need to be addresses on a short- or long-term basis…instead of yearly.
Finally, most organizations do staffing, with the mentality of a break-fix shop.?ISACA reports that the CISO of an organization rarely stays for more than two years, leaving many organizations with new strategy, orphaned tools, and changes in philosophy, happening at a rate which is unacceptable for the millions of dollars spent on security tools a year. With the CISO being one of the highest turnovers in the profession, it’s no wonder why the security spend on products far eclipses the consulting spend in most organizations. Long term contracts typically aren’t in the plan.
A NEW METHODOLOGY FOR SERVICES
As a professional that looks at trends in the cyber security space, I am seeing an evolution of how services are being utilized. As the market for security professionals gets more competitive, the landscape of services needs to evolve with it.?Currently, “managed service providers” dictate to the customer what they will and won’t do with limited ability to adapt to the customer needs.?Customers are faced with an ever-changing pool of talent to combat an ever-expanding threat landscape. Thus, the traditional managed services model where a vendor handles one piece of the puzzle is becoming far less attractive to organizations.
AUGMENTED SERVICE PROVIDERS – A POSSIBLE EVOLUTION OF MANAGED SERVICES
I envision the market will see an augmented service approach, where the customer needs are offered in a “concierge” style.?As the organization ebbs and flows, the menu of “managed” operations can expand, and contract as needed.?An organization can start small by offloading the more mundane tasks in data security operations and perhaps offer extended hours of coverage as an initial use case.?This could change based on the workforce ebb and flow.?
If there is a key team member that needs vacation time, the service can be expanded short term to cover, instead of just heaping more work on the likely already overworked staff.?Even more important if a key team member is lost, the augmented staff can take over those job duties on a short- or medium-term basis so the rest of the staff doesn’t get frustrated by the extra work on their already limited time.?
A challenge to be avoided is the “death spiral” of losing more staff as the existing team is asked to take on more duties in an often already over worked position.?In speaking with one CIO, he disclosed “not one of our SOC team has been here more than a year”.?This is an all-too-common problem that most don’t wish to discuss. Typically, it’s just not on the planning roadmap for most organizations.
I believe we will see this shift in the “managed services” space as organizations gain more awareness to their business continuity needs instead of the current reaction-based approach. ?The “menu” of services to be managed will be flexible and fluid to accommodate the organizations business needs instead of locking them into a long-term contract.
Augmented providers will understand the customer infrastructure, what applications are important and what risks are most critical to the organization, while keeping an open dialog with key stakeholders. In this way the augmented staff can be metered to handle an ever-changing workforce without turning over the “keys to the kingdom”.
About the author:
Eric Marchewitz is a security solutions architect, recovering CISSP and AWS Cloud Practitioner. His career in information security has spanned 23 years, working for companies such as PGP Security, Cisco Systems and Check Point.?Most recently he is a Field Solutions Architect for CDW Corporation. This article doesn’t not reflect the views of CDW and is for information purposes only and should not be considered professional advice. No warranty of the information contained within is given.