The New Demand for Managed ServicesCISOs: Enterprise Risks Make Outsourcing Imperative
Security practitioners believe in opting for an outsourced managed security services model as one needs to look beyond compliance to map business risks and align security with business performance, against growing threats and breaches.
CISOs agree they need third-party support through a partner who can guide in mapping the risks and be a subject matter expert to help build an effective incident response plan.
Says Mumbai-based Sameer Ratolikar, CISO, HDFC Bank, "A managed security services provider is very much needed. It's a challenge to find people with domain expertise across all aspects of security."
Gartner says the managed security services market in India is definitely on a positive trajectory and expected to grow at 8-10 percent CAGR through 2019.
The discussions come in the wake of every industry forum and analyst observing a positive growth for MSSP in India.
Why are MSSPs Needed?
Security practitioners say that the first step toward data security management is to employ MSSPs who can find ways and means of giving visibility to customers' data. This itself would reduce data breaches.
The reason for MSSPs' positive momentum, says Bangalore-based Sriram S, co-founder and director at iValue Solutions, a technology enabler, is that threat vectors have become more complex: "Launching malware or DDoS attack is cheaper and simpler, and signature-based security technologies are not effective."
He argues that enterprises also need subject matter experts like analysts for post-detection and for real-time analyses to take corrective and preventive actions. MSSPs fill this gap.
Gartner's principal analyst, Sid Deshpande, says organizations are leveraging external monitoring services from MSSPs because of cost, budgeting and staffing considerations.
"A good MSSP has well-architected security operation workflows, while many Indian organizations today may not have significant past experience with security monitoring," argues Deshpande.
Traditionally, MSSPs focused on monitoring/management of network security equipment, he says. They now offer emerging services such as advanced threat protection, public cloud monitoring and threat intelligence.
Delhi-based Pradeep Eledath, chief executive officer at Safe++ Global Technology Services Pvt. Ltd, the company providing virtual CISO services, argues that the MSSP model is preferred since threat actors have moved from amusement value attacks in early 2000 to state-sponsored, market-manipulated, competitor-driven or military and politically-driven objectives in 2015. So, businesses are under immense margin pressure and forced to offer high-end services and open business models at low cost - all of which are susceptible to attacks and data proliferation by sophisticated attackers.
He believes traditional business models are also under threat of violating regulatory compliances or license conditions.
"Many organizations employ multiple security vendors, each delivering a small component of security requirements; contracting and managing multiple vendors is a nightmare for organizations, already reeling under reduced internal resource pressure," says Eledath, adding that this calls for enhanced skill sets to identify and tackle such threats.
For Ratolikar, having a third-party security service provider is critical to create awareness among his employees, help maintain hygiene and fill the talent gap.
"The biggest challenge for me as the CISO is to handle security operations and data flow of various businesses and its subsidiaries and map the risks," says Ratolikar. "I would even outsource SIEM services along with security operations to create a secure environment," he says.
At Your Service
Most security leaders agree that the scope of MSSP starts with 24x7 monitoring with stringent service level agreements on breach detection and prevention tasks.
iValue's Sriram says that sharing threat intelligence feeds to customers along with providing expertise on varies aspects of security is the key service.
The services Ratolikar sees coming are service partners allocating over 10 people to handle security operations for the organization, about 3 to 4 for vulnerability assessment and detection, and a couple to address vendor risk management task, among others.
"The partner will also help develop security policies and suggest controls required in developing incident response services within the organization," says Ratolikar.
Eledath categorizes MSSPs offerings into:
- Strategic - Understanding the business objectives of the organization, collating business requirements and developing a business model for quantum and depth of security outsourcing. This stage also involves carrying out a risk assessment at the business, technology, people and process layers to arrive at current, planned and desired states of security maturity of the organization;
- Tactical - Defining a detailed design for a security operations centre (SOC), build-up and implementation of security process and services catalogue, identify and deploy tools required to run the SOC and resource planning;
- Operational - Involving security operations, monitoring (either 24x7 or 9x6 as desired by organizations) and analysis, incident response and management, reporting and security governance.
Experts say it's important to ensure that MSSPs provide five styles of advanced threat defense under the subscription-based managed service and retainer-based consulting.
Deshpande says, "CISO must ensure the partner provides network traffic analysis, payload analysis and endpoint behaviour analysis in real time, and network forensics and endpoint forensics in a post-compromise scenario."
"I have witnessed a good amount of cost saving, with no capex and savings on products and manpower; the effort to hire talent is lowered, a good fit for SIEM services," says Ratolikar.
Experts warn that enterprise need ensure MSSPs can address external threats, handle network activity, provide resource access and monitor user administration work on three parameters - monitoring, analysis and remediation - to drive the benefits of outsourcing.
The new areas MSSPs focus on include SIEM, mobile device security, app white/black listing, next-generation firewall and NAC.
"The key advantage CISOs could avail through an MSSP is access to global threat intelligence expertise and innovations, the hot topic now, and learnings from case studies," says Eledath.