The cybersecurity labor market is suffering a severe workforce shortage. By 2019, the demand for talent is estimated to be about 6 million jobs, with a projected shortfall of at least 1.5 million skilled workers, according to Symantec's CEO Michael Brown.
In July 2015, the U.S. State of Cybercrime report from PwC, CSO, the CERT division of the Software Engineering Institute at Carnegie Mellon University and U.S. Secret Service showed that 79 percent of the 500 U.S. executives, security experts and others in both the public and private sector say they detected a security incident over the past 12 months. Raytheon and the National Cybersecurity Alliance found in their 2015 study Securing our Future: Closing the Cyber Talent Gap that education is not keeping up with the growing demand -- of the nearly 4,000 young people, aged 18-26 surveyed, 67 percent of men and 77 percent of women said no guidance counselor, secondary education teacher or career counselor mentioned the possibility of cybersecurity as a career
This doesn't bode well for companies looking to secure themselves and their customers data and information now and in the future. But there's another option -- a managed security services provider (MSSP) can cost-effectively and safely secure physical hardware, networks, data and information. It's a viable option for many businesses that can't find or can't afford to keep cybersecurity talent on the payroll, says David Barton, CISO at Forcepoint.
"With the worldwide shortage of qualified IT security candidates, using a reputable MSSP to help augment internal teams is a very good approach. Most MSSPs employ highly qualified and skilled talent who are able to manage and protect their customers' data," Barton says.
An MSSP can cover all the security bases for a company: Firewalls, intrusion detection and intrusion prevention solutions, security event and incident management, managed vulnerability and identity management solutions -- even first-level incident response. It can be difficult, especially in such a severe talent shortage, for companies to find talent to secure each vulnerable area, much less all three.
The issues of compatibility and integration are also front of mind for IT leaders, because with so many devices and tools, complexity quickly becomes an issue. That's one of the biggest problems an MSSP can help solve, says Mark Stevens, senior vice president of global services at Digital Guardian.
"There are so many tools for each threat vector -- firewalls, data loss prevention, intrusion prevention, an actual breach, malware, viruses, DDoS -- so, OK, maybe you go find someone, and you train them on all these tools you have, but that takes time. Suddenly, all the threats have changed, or maybe certain tools don't work with each other. The complexity becomes a real problem," Stevens says.
Another problem: turnover.
'Our critical tool has left the building'
Finding, hiring and training a cybersecurity professional is exhausting and expensive, and because these professionals in such high demand and can command incredible salaries, they can leave you in the lurch if they get a better offer at another company, Stevens says.
"If the person you hired six months ago gets a better offer and leaves, then you're really in trouble. Companies do not want to spend all that time and money hiring and training someone on a multimillion-dollar tool only to have them leave. It takes trained experts to understand not only the technology, but the human aspect of this, and we've found that the only way to do this at scale, efficiently and cost-effectively is through offering it as a managed service," Stevens says.
MSSPs as a differentiator
The MSSP model can also be a competitive differentiator for companies that can point to their MSSP as proof that they're actively involved in security best practices with specialists, says Stevens. It also means threats can often be addressed before clients even know an incident is happening.
"Because we're working with economies of scale, if we see a breach, or we see a new piece of malware coming out that's directed at one client, we can extrapolate to other similar clients and go ahead and patch or further secure them before they even know or realize it could be a threat. I can quickly apply that same fix across 90 customers at once; it's really proactive," Stevens says.
Small business security
It's much more cost-effective, too, especially for smaller organizations that might not have the budget for high-priced security talent or expensive on-premise tools, Stevens says, not to mention that attacks that are simply a nuisance for large enterprise networks can be downright crippling for SMBs or startups.
"Untrained or unprepared companies that are smaller and on a tighter budget are especially vulnerable. What's nuisanceware for a major enterprise can be really debilitating for SMBs -- we saw it with variants of Cryptolocker. But because we could see it happen across our client networks, we took care of it for everyone. That kind of scale is something you can't get from an individual practitioner," Stevens says.
Smaller, tier 2 and tier 3 network providers are especially vulnerable to attacks; much more so than their larger competition, says Dave Larson, COO, Corero Network Security.
"The floods, the inbound traffic that's not necessarily causing a breach and might be brushed off as an annoyance by larger enterprises -- that's devastating for smaller companies. That can push them completely out of business," Larson says. But an MSSP model is a great option for companies for which individual security talent is out of reach because of time, vulnerability profile or budget concerns, he says.
"It's just a better use of resources. Companies should focus on what they do best. Focus on where you know you can win and while security's essential to your business, it's so often not your only business -- that's why we make it ours," says Stevens.