Corporate security teams are fighting battles on two major fronts. On one side, they’re facing an onslaught of cyber threats. And on the other, they must deal with the increasing complexities of technology sprawl, as the constant need for innovation and improvements to customer experiences is making it that much harder on security teams. But because of the cybersecurity skills gap, most companies are often on the losing end. The need to address this gap has given rise to third party businesses like Managed Security Service Providers (MSSPs) and Security-as-a-Service (SECaaS).
While these two kinds of service providers effectively address the talent gap and have some similarities, they use different approaches. In this post, we’ll compare the two and help companies differentiate one from the other. This way, organizations can make more informed decisions on their security options.
Filling the Cybersecurity Skills Gap
The global damage caused by cybercrime is expected to surge to $6 trillion by 2021 making it the second largest global risk, right behind natural disasters. But the growing incidence of cybercrime itself is only half of the problem.
With a plethora of vendors now rising to meet this scourge, companies are also currently faced with a deluge of security solutions that are adding even greater complexity to already-overloaded IT departments. This doesn’t make their jobs any easier especially as IT departments now also act as de facto “security teams.” Because of all this confusion, companies are unable to optimize their security investments.
The reality is, most companies just don’t have the in-house talent to handle these challenges, nor is it easy to head hunt experts with the required level of skills. In fact, the scarcity of talent is so bad, there could be 3.5 million unfilled cybersecurity jobs by 2021.
It’s not all doom and gloom, though.
As more companies have invested in security tools, equally businesses invested in building security service offerings in the form of MSSPs. However, due to the dearth in available cyber talent, businesses have started leaning toward SECaaS, delivering actual response and remediation to found threats. From an offerings perspective, they include:
- The knowledge to configure security-focused technologies optimally (MSSP & SECaaS)
- The skills to manage and monitor these technologies (MSSP & SECaaS)
- The ability to leverage technologies to make the most accurate and effective actions to eliminate threats (SECaaS-Only)
In both instances each operates through OpEx-based models of delivery, allowing companies to have more financial flexibility, more predictable cost, and smoother cash flows. But then this is where the similarities end.
Differences in Consumption
In the MSSP model, your access to skilled personnel translates to incremental investments on your part. That’s because they’ll perform monitoring and alerts but won’t do response & remediation unless you pay extra for it.
In SECaaS, you still get access to skilled personnel who’ll do forensic investigation, incident response and remediation, but you don’t have to pay extra. This is because it’s included as part of the service and is also cheaper. Why anyone would choose the MSSP option when the value is better in SECaaS is quite puzzling.
Although MSSPs follow an OpEx model, most of them package their services in fixed or annual contracts. In other words, the financial flexibility they provide leaves much to be desired.
In SECaaS, you simply pay for what you use. If that sounds like a cloud service, it’s because, in a way, it is. SECaaS leverages the power of the cloud and uses a cloud-delivery model to provide managed security and compliance services.
Reactive vs. Proactive and the Impact on Dwell Time
As mentioned earlier, typical MSSPs simply alert you of any potential threats they may have detected. What happens next largely depends on your initiative. You can either:
- Carry out forensic investigation, incident response and remediation yourself, or
- Commission your MSSP to perform those tasks for you
- Do nothing and pray for the best
If you choose option (a), do you really have the qualifications and expertise to do these tasks effectively and accurately? If not, you would just be putting your systems in greater danger. If you entrust the job to your already swamped IT team, they could put it off to accommodate what they perceive to be more pressing issues. Before you know it, threat actors may have already gained a sufficient amount of time to complete their nefarious activities.
The same thing can happen if you choose option (b). The total time it would take for you to do the following could likewise give threat actors enough time to do some serious damage:
- Receive the alert report from your MSSP,
- Digest all the information found in the report,
- Commission them to carry out forensic investigation, incident response and remediation
This delay could also extend your time to return to operations (RTO), and in turn, have a substantial impact on disaster recovery and business continuity capabilities (which they would have to pay extra for at an upwards rate of $350 to $400 per hour).
In SECaaS, which already includes response and remediation, the dwell times are significantly lower – within less than a day. And as an even bigger bonus, uptime to get services started for your company can be deliver in 2 minutes or less through a SECaaS provider, whereas with a MSSP, protection can arrive in days, weeks, or even months and sometimes require businesses to conduct their own homework first.
Because MSSPs normally limit themselves to alerting functions, they usually lack unified visibility and control over the entire security infrastructure. This in turn limits what they can do in maintaining compliance.
SECaaS providers, on the other hand, have that unified visibility and control over security. In fact, some of them, like Armor, can secure both cloud-based and on-premise digital assets. This comprehensive capability enables them to provide audit-ready, continuous compliance; not just at a point in time.
Both managed security service and security-as-a-service providers are very effective in filling the skills gap. But while the cybersecurity skills gap is a critical issue that needs to be addressed for businesses to win their battles against cybercrime and technology sprawl, there is a better way to address it. It’s called SECaaS.
This blog was originally developed and posted on Armor.com