As security staff gets increasingly overwhelmed preparing for compliance audits and managing security incidents, B2B companies have started to ask about outsourcing managed security services.
A recent report from analyst firm IDC found that Canadian organizations will become more reliant on third-party SaaS and managed security services by 2019. And Canadian chief information security officers (CISOs) will progressively outsource IT security services.
Also according to IDC, 61 percent of security professionals note the main reason for outsourcing remains ensuring around-the-clock staffing while 39 percent say security is not core to their business.
CISOs in Canada are coming to the realization that data breaches are not a matter of if, but when, says Colin McKinty, vice president, cyber security strategy, Americas, BAE Systems Applied Intelligence. “The most specific change for CISOs is they now operate on the assumption that they are being hacked. As a result, we see them increasingly turn to advanced behavioral analysis solutions that detect unknown anomalous activities, such as servers communicating with each other that never communicated before or exchanges of information with outside sites that have never appeared before.”
With such incidents rising and no end in sight where can B2B firms go for help?
Cyber threats know no boundaries
Regardless of nationality, CISOs all face new classes of online and cyber threats, arising from sophisticated teams of hackers and illicit marketers. Cybercrime has become organized crime, experts say.
“And it is a global business,” says Greg Mancusi-Ungaro, chief marketing officer, BrandProtect, a Toronto-based company that specializes in cyber threat intelligence and brand protection. “Government regulators in Canada, the US.. and Europe have started to address cyber threats and risks across many industries with increasing levels of guidance and requirements.”
The threat environment is evolving so quickly that it is almost impossible for security teams to keep up, according to Mancusi-Ungaro. “That is where managed security services offerings become essential,” he says. “Managed security services providers can invest in acquiring the needed expertise, technology, relationships and business methodology to meet the security requirements of their customers.
A strong partnership with a managed security services provider adds trained, experienced cyber threat specialists to a firm’s existing security team.
Choosing the proper security framework
With more standards and protocols than virtually any other industry, selecting the most appropriate framework remains among the most important decisions a B2B professional can make regarding security. This must go hand-in-hand with the compliance regimes a B2B company encounters in its specific vertical.
Choose the security framework—ISO, NIST CSF, PCI DSS—that is best suited for your organization based on industry, regulatory requirements and contractual agreements, advises Luke Klink, senior security adviser, Rook Security, a managed security services provider. “Baseline your current controls against the chosen framework and develop a plan for improvement. Define the process to test each control for its design and effectiveness.”
Other experts say that B2B professionals must first understand security standards. That often means standards must exist at a level that everyone in the organization can comprehend, according to Dan Hoban, business development director, Nuspire Networks, an MSSP specializing in network security management.
“The most successful standards programs start with writing a document for all to understand, not just the IT department,” Hoban says. “To ensure everyone embraces security standards, generate security process and training—make sure that becomes habit, not just a document. If everyone in the organization can adapt to security processes—password policies, information sharing practices, etc.—standards are more easily adopted.”
Also, a B2B security practitioner must maintain documentary evidence and work plans in a centralized location to be referenced as needed, according to Klink. Following this approach will help drive a robust security program and simplify the audit process, he says.
Choose the right personnel and tools
In the B2B sphere, cyber threats continue to spread and multiply. With the advent of new technologies like SDN and drones, the importance of finding the right personnel and correct tools for security mitigation remains an understatement.
“There is a serious shortage of qualified security personnel who are capable of understanding what tools to use, how to assemble them into a security program and how to provide the kind of security outcomes companies are looking for,” says Kurt Hagerman, CISO, Armor Defense, a managed security services provider. “Contributing to this is the fact that the market is flooded with an overwhelming number of security tools; many of which overlap and claim to solve all problems.”
In this situation, B2B companies may find it impractical to do security themselves. And they might perceive that a single security vendor can bring simplicity to the process. Then it’s necessary to create a protection hierarchy.
“Prioritize vendors who can contribute multiple technology pillars; vendors who enable orchestration of your defense should be at the top of your list,” says Someshwar Chidurala, digital marketing analyst, Orchestrate Technologies, a business process management organization. “To offer exceptional value, agree on a security provider who develops and delivers solutions according to the organization’s business model. Without this critical information the solution would be just a sale.”
Alternative to recruiting
These types of problems form the very raison d’être of managed security services providers (MSSPs). B2B companies went into business to conduct business—not to provide a proving ground for computer breach remedies. They need a solution that offers options, according to experts.
“The flexibility that comes with MSSPs is another undeniable advantage for organizations,” says Simon Talbot, analyst, Proactive Risk Management, a risk management and security solutions firm. “With MSSPs, there is no more need to recruit, hire, train and manage resources internally to take care of security and incident management functions. This flexibility also means that the level of service and number of resources can easily be adapted and updated according to the needs of the organization.”
Not only can B2B companies outsource managed security services but also the CISO function itself. At least that’s the premise of one solution provider.
“The problem with many companies is that they don’t have the need or ability to pay for a full-time security professional, so they let their network admins or developers do security part time,” says Shane MacDougall, principal partner, Tactical Intelligence Inc., provider of actionable intelligence for cyber security. “That becomes problematic because security is a niche specialty, and it’s not really something you can pick up on the side, and companies are learning that the hard way.”
Hence, the new approach to outsourcing CISO services on an as needed basis. And it is starting to pick up speed, according to MacDougall.
“In the past six months we’ve seen a dramatic uptick in queries about providing virtual CISO services. It used to be a couple of queries from across Canada every year, but in the past months that’s gone to several a month.”
It seems to go in spurts with every new publicized network hack. That’s when B2B management teams realize they have no one on board to secure their customer data and need to virtualize the role, according to MacDougall.
This lets even the smallest B2B startup have protection on the scale of Fortune 500 company for a fraction of the cost, according to J. Colin Petersen, president and CEO, J – I.T. Outsource, managed IT services for businesses.