How Managed Security Services (MSS) Can be a “Win-Win-Win” for Small and Midsized Businesses

For Information Security professionals in Small and Midsize Business (SMB) organizations, it often feels like you and your team (if you’re lucky enough to have one) are fighting an uphill battle. Investments in hardware, infrastructure and qualified personnel seem to be in direct conflict with the business goals to grow service offerings, facilitate business channels and comply with ever-changing regulatory requirements. As the threats to your organization’s security and data seem to increase exponentially, the fact is that security often takes a backseat to other perceived priorities … until it’s too late.
 
Quantifying the Risk
Based on recent data, you may have the business case you need to demonstrate that cyber threats aren't just a problem for the “big boys” of the Fortune 500 any longer:

  • According to Symantec’s 2013 Threat Report, there was a 42% increase in targeted attacks in 2012 for the SMB market. What may be even more shocking is that 31% of those targeted attacks were directed at SMB organizations with fewer than 250 employees. That was nearly three times the number targeted attacks at SMBs than were recorded in 2011. 
  • In terms of quantifying the financial risk, consider that the average cost per compromised record in 2011 was $194, and the average total organizational cost per breach totaled $5.5 million (Ponemon Institute, 2011 Annual Study: U.S Cost of a Data Breach, March 2012).
  • According to the Ponemon Institute’s more recent study (2012 US Cost of Cyber Crime Study), “The most costly cyber crimes are those caused by denial of service, malicious insiders and web-based attacks. Mitigation of such attacks requires enabling technologies such as SIEM, intrusion prevention systems, application security testing and enterprise governance, risk management and compliance (GRC) solutions.”

While I could continue to define the impact, I think most of you understand and recognize how costly external and insider threats can be—particularly to SMB-sized organizations. Large enterprise organizations have the resources and deep pockets to weather the storm created by security failures (and even negligence), such as the recent and highly-publicized Sony and Michael’s Stores.  However, the financial penalties, reactive costs and brand reputation damages for smaller organizations can essentially be a death sentence.
 
Understanding the Threats
So where are all these threats coming from? Verizon recently partnered with the Australian Federal Police, Dutch National High Tech Crime Unit, Irish Reporting and Information Security Service, Police Central e-Crime Unit and United States Secret Service to provide global perspective on what’s driving the increase in threat activity (Verizon, 2012 Breach Investigations Report, March 2012).

  • Source of breach:
    • 98% from external agents
    • 4% from implicated internal employees
    • <1% from business partners
    • 58% of data theft tied to activists groups
  • Methods:
    • 81% included some type of hacking
    • 69% leveraged malware
    • 10% included an actual physical attack
    • 7% leveraged social as an entry point
    • 5% were a direct result of privileged users

At the end of the day, threats to your organizations data and security can come in all shapes, sizes and from a variety of sources. As the siege continues to shift its focus more toward the 25 million SMB target organizations in the US, we at FishNet Security are seeing more awareness and greater interest in strategies, solutions and services from our SMB customers. One of the top areas of interest, particularly in the last 12-18 months, has been Managed Security Services (MSS).
 
Defining Managed Security Services (MSS)
If you haven’t heard the “buzz” around MSS you are most likely in the minority in 2013. Analysts and technology vendors alike have been debating the MSS pros and cons of eliminating the upfront depreciable costs of hardware and network infrastructure, while minimizing the need for new headcount and the learning curve for your existing security professionals. The SMB market has been quicker than large enterprises to adopt MSS due to challenges with resources and the ability to provide 24/7/365 coverage.
Before we examine the business case for leveraging MSS to address the challenges outlined above, let’s first define what MSS is, what it does and how it is being applied in the marketplace today by your partners and competition. For this I’ll rely on our analyst friends at Gartner, namely Mr. Kelly Kavanagh who does an excellent job covering the professional and managed services for network and Internet security. They define MSS as "the remote management or monitoring of IT security functions delivered via remote security operations centers (SOCs), not through personnel on-site,” (Gartner: “Magic Quadrant for MSSPs, North America,” Kelly Kavanagh, 15 November 2012).
At a technology level, most MSS offerings include all - or some tiered service offering combination - of:

  • Managed Firewall/VPN
  • Managed Security Information Event Management (SIEM)
  • Managed Secure Remote Access (SSL VPN)
  • Security Device Compliance Monitoring
  • Managed Intrusion Detection/Prevention (IDPS)
  • Managed Security Log Monitoring (SLM)
  • Managed Continuous Threat Management (CTM)
  • Managed Unified Threat Management (UTM)
  • DDoS (Distributed Denial of Service) Threat Management

 
Why MSS Can be a “Win-Win-Win” for SMBs
With fewer resources at your disposal, increased compliance requirements from business partners and regulatory agencies, growing threats from internal and external sources, and growing demands from your employees and user communities, MSS can be a very attractive option. I typically categorize the MSS business case for SMBs into three main pillars:

  • Win #1 – Improved Efficiency & Productivity
    • By handing over the management of security to a third-party provider, you free up yourself and/or resources to focus on activities that directly support and grow the business.
    • Purchasing new security hardware/software can result in your resources facing a steep learning curve in regard to using/managing the actual device or software, as well as the logistics of how to integrate it properly within the existing environment. An established MSS provider will already have the knowledge, dedicated resources and standardized procedures in place for this to happen quickly and effectively.
    • With MSS often comes improved flexibility, scalability and bandwidth. But, it also means that you can deploy new software and services much more rapidly as the flexible and scalable security framework has already been established.
  • Win #2 – Increased Compliance & Security
    • Chances are you are no stranger to the complexity of rules and regulations regarding how you capture, store and manage consumer data, especially if you are in a highly-regulated industry or serve business partners that are. Because an MSS provider must adhere to these standards for everything, from HIPAA to GLBA to PCI, they are already equipped to provide the safeguards needed to ensure customer and partner data privacy.
    • It’s no secret that technology moves at a rapid pace. If you think hardware and software evolve quickly, consider how rapidly solutions designed to keep pace with the constantly changing threat environment must adapt. By assigning an MSS provider to keep their sights on countless moving targets, you can benefit substantially by shifting that responsibility.
  • Win #3 – Revenue Growth & Cost Containment/Avoidance
    • Because MSS adheres to the SaaS model, it negates the large upfront investment in depreciable hardware and expensive software, and provides a more predictable “pay-as-you-go” billing option. Adopting an MSS strategy also means that you can take advantage of a provider’s ability to leverage their “economies-of-scale” savings.
    • When taking an ad hoc approach over time and acquiring and deploying your own security solutions as budget and resources become available, you may end up with a number of disparate systems that become increasingly unmanageable. Moving to an MSS model can be an opportunity to reduce complexity by consolidating security applications into a single solution with unified architecture managed by a trusted provider that knows your business.
    • As I touched on briefly above, MSS can help you avoid the legal and compliance pitfalls associated with the collection and storage of customer and partner data. Not only does MSS offer a compelling business case from the cost avoidance aspect (by way of fines, penalties, lawsuits, etc.), but ensuring the procedures and policies are always up-to-date can be a competitive advantage when courting new business partners or large clients.

While all of this sounds great, you and I both know you can’t simply hand over the keys to the kingdom and wash your hands of all responsibility. Just as there is always some trepidation in handing over the keys to the family car to your newly-licensed teenager, the same is true when handing over the potential fate of your organization to a third party services provider. That’s why, in my next blog, I’ll be covering what you need to know when choosing a Managed Security Services Provider (MSSP).