The "1%" of cybersecurity has enterprises with dedicated staff for singular roles. There is no need to task one individual with multiple jobs when a company can hire someone for each.
A large cybersecurity staff is a luxury and the titular role — a CISO — is unaffordable to some organizations. Strapped for resources, companies can either have their security practitioners wear too many hats, or outsource the responsibilities.
"There's a famous phrase in the software industry that, 'given enough eyeballs, all bugs are shallow,'" said Reed Loden, chief open source security evangelist at HackerOne. "We all face an asymmetric threat, one that is ever changing, and the most trusted companies understand that this fight cannot be won alone with just one security engineer."
Companies that leverage an internal security operations center (SOC) that works with the rest of the business, and alongside managed service providers (MSPs), have the resources to construct a healthy security posture.
"Security teams shouldn't be constrained by their walls; the best will source knowledge from anyone, anytime, anywhere," said Loden.
Where and how companies choose to fill gaps in their security organization is subjective. When hiring internally, there generally isn't a specific skill set companies can consolidate.
Cybersecurity today is complex, encompassing digital loss prevention, secure remote access management, endpoint detection and incident response. "Mainly, what I see is there's a generalized person," companies want to bestow wide sweeping expectations on, said Jim Bowers, security architect at TBI Inc. It's not a sustainable model.
Most security practitioners have been that catch-all security individual at some point in their careers. "Have I been overwhelmed? Absolutely," said Bowers. "I think we're at this inflection point where the pandemic opened up eyes."
When expectations are too high
Customers expect more from their MSPs' security, a trend highlighted prior to the onset of the COVID-19 pandemic. Last year CompTIA found half of survey MSP respondents said the No. 1 factor in "sustaining a healthy and successful MSP market" is having a cybersecurity skill set "arsenal." The survey included responses from 400 U.S.-based businesses.
The realization made MSPs add more offerings to managed security service providers (MSSPs) which tack on features a typical MSP would go without; penetration testing, Security Information and Event Management (SIEM) software, ransomware protection, compliance audits and governance consulting, according to CompTIA.
"Have I been overwhelmed? Absolutely."
Security architect at TBI Inc.
As MSSPs take on additional security areas, 68% of business leaders say compliance is a critical area of the industry, according to CompTIA. Sixty-four percent cite risk analysis, 55% cite cybersecurity analytics, and 47% say penetration testing is a critical area.
Roles that are most challenging to find are in incident response or threat hunting "if you want any talent outside of a 4-year degree," according to Jeremy Leasher, security solutions architect at Axellio. Companies can find some support in these areas in their service level agreements with mentions of "hunting" and "threat assessments."
But MSPs and MSSPs "have the same problem that any internal SOC has, in fact, it's even worse because they don't stand inside the environment, they don't have visibility, and they don't know the business," Chris Triolo, VP at FireEye, told Cybersecurity Dive in February.
At the end of the day, the internal SOCs of MSPs or MSSPs are not part of the business of selling outsourced security services. Customers do not have closed loop expectations with an MSP. Within the MSP SOC, there's no one to report back to regarding a false positive or meaningful escalation. The respective SOCs are separated.
Not all MSPs have in-house SOCs, and the ones that do are overwhelmed. More than one-third of IT security managers and security analysts ignore threat alerts when the queue is full, according to a survey from IDC, in partnership with FireEye. The survey, released in February, had 300 respondents in U.S.-based companies working in SOCs, and 50 MSSPs.
Customer expectations are sometimes inconsistent with the standard delivery service model the MSP has for its hundreds, if not thousands, of customers. "That puts them at a disadvantage," said Triolo.
Sweeping corporate trust of MSPs or MSSPs is also misplaced. Adversaries know reliance on these providers is at an all-time high. "Every vendor is a unique entrypoint for attack. MSSPs that require intimate knowledge and access of your systems and networks," are the perfect target, said Loden.
How to ask for help
How technology and people can complement each other determines whether to hire internally or outsource because a company's security maturity is not defined by how much they spend.
"If my software development pipeline value is $2 million and I only spend $50,000 to protect it, is that enough?" said Leasher.
More small- to medium-sized enterprises, or industries stuck on legacy systems, readily integrated MSPs. In these cases, companies can compartmentalize how they rely on third parties.
In a hybrid SOC/MSP approach, a "level one" approach would have the MSP take over mundane tasks, said Bowers. "Level two" use of MSPs would include having communication flows between the internal and external security teams.
"So you still want to have dedicated individuals, just outsource most of the equipment, you can really leverage those high-paid engineers to deal with the critical issues," said Bowers. And a lot of these services have moved to the cloud too. Employers then see security staff with freed up time to take on more roles.
Even though cloud-based providers are picking up part of a SOC's jobs, it's dangerous for non-technical leadership to over-rely on a vendor's security.
"All this being said, adding an MSSP can supplement internal teams, but should not replace them."
Chief open source security evangelist at HackerOne
"I am a jack of all trades, so I can do many things. But sometimes it's hard to show management that you need to take the next step and hire more security personnel," said Loden. He recommends security practitioners document responsibilities and the resulting quantitative benefits to the business. But "it can be hard to measure what doesn't happen."
Board members consider cyber risk a "fundamental hazard to the continued existence of the enterprise," according to research from Booz Allen Hamilton. But buy-in at smaller companies is harder to come by. Startups are focused on growth before anything else. Board members might find security or privacy as an inhibition.
"A lot of companies never do true risk assessments and don't understand what the true risk appetite is," said Leasher. "They probably don't understand the real quantitative value of their intellectual property."
Companies are turning to "virtual CISOs" to oversee project management and security implementations, according to Gartner. "That's not to say there aren't organizations that seek to defend their lack of a leader with some shortsighted rationalizations," the research firm said. A virtual CISO provides guidance without the average $208,000 to $337,000 CISO salary attached to it.
"All this being said, adding an MSSP can supplement internal teams, but should not replace them," said Loden.