One of the questions I’m asked most often is, “Why do we need a Managed Security Provider, and how can a third party MSSP manage our applications and infrastructure better than the people who designed and built them?” The same people often go on to ask if the cloud makes a managed security solution less important than it was before, since another third party provider is now in charge of serving up and presumably safeguarding your data.
The realities of the current environment
The answer lies in the reality of providing complex technology in support of demanding users in an ever more competitive environment characterized by:
- Application software providers who continue to set higher expectations for functionality, performance and availability for end users.
- Cloud-based Software as a Service (SaaS) solutions that (as noted above) in a matter of days can transfer control out from under your well-architected, trusted environment and onto cloud-based black boxes selected by the application developer, creating a complex web of data exchange that’s now necessary to support efficient and seamless business processes.
- Users once located within the protective walls of corporate real estate are now constantly on the move, traveling globally, surrounded by unknown people, and using unprotected networks.
- Constant pressure on IT to be a good steward of your company’s resources by managing your operating expense.
A real, big problem. Whether you are big, or small.
When you add all the uncertainty up, the use of an MSSP make increasing sense. But is it really a big deal, or just hype created by the providers themselves? The truth is, today the problem is undeniable. News of breaches on commercial/governmental entities is everywhere.
But you don’t have to be big (Target, for example) to worry about being targeted. While the big breaches make news, big companies tend to be better protected and harder to hack than smaller ones, who can be more lax about security. The fact that many small companies do business with larger ones also makes them excellent channels for hackers to use to attack larger partners indirectly. The Target attack, for example, was reportedly launched through an HVAC maintenance partner.
Security is a numbers game…
Hacking is often a “numbers game;” attackers randomly target ranges of addresses looking for vulnerabilities to be exploited and monetized. Credit cards, account numbers, personal identifying information (PII, that can be used to open accounts/request tax refunds), information that can be used for phishing, or email accounts to leverage by sending spam and malware to infect other computers. And the attacks are becoming increasingly sophisticated. A 2015 Ponemon/Symantec study found 47% of breaches were part of planned criminal or malicious acts, initiated by professionals who put a great deal of thought into the process of quickly monetizing the assets they find.
… A game that’s hard to win by yourself
The IT manager’s problem solving “text book” solution is pretty clear. Perform a gap assessment using one of the many commonly used solution frameworks. Then create a roadmap to close the gaps.
What could go wrong with this when applied to computer security? A lot. For starters:
- Security projects are complex and require well-paid specialty resources who are increasingly difficult to hire in the current competitive market.
- The shear breadth of the security landscape is massive. There are hundreds of technologies, products, and service solutions. Just keeping up with the latest threats and available security alternatives requires 100% dedicated resources.
- Cyber vulnerabilities are identified by the dozens every week, and cybercriminals have resources dedicated to attacking them as soon as they become known.
Summary: Security is not just a battle; it’s a war.
To sum it all up, security is like a war. Not in the sense of guns and bombs, but it’s a global conflict involving loosely-organized-but-cooperative factions of bad people on one side; thinking, reacting and planning harm. The sad fact is, theft pays. So our opponents employ other skilled warriors, and, they work together as one against us (the good guys), creating common weapons in the form of exploit kits and selling them to each other on the black market.
The upside is, by working with an experienced MSSP, you can do the same thing. Which in turn can free your own team from the 24/7/365 burden that comes along with that task. Of course every organization is unique. To help you see if an MSSP is really right for you, Part II of this post will provide a list of questions to ask yourself to see where you really stand. In the meantime, feel free to share your thoughts on the topic. Security, as noted is a numbers game. And the more we all work together, the more the numbers are in all of our collective favor.
Image Credit: betanews.com
How Do Data Breaches Happen?
Our infographic Understanding the Retail Data Breach can help you understand and communicate to others in your organization some of what you’re up against, with some key stats to make your case and some ideas on solutions to get your data house in order.