Why Going Alone in Cybersecurity is a Non-Starter
Are cybersecurity threats overblown or hyped up? It would be nice if that were the case. Then we’d have one less bucket of things to worry about.
Unfortunately, the headlines are not fiction. Bad actors are stealing data, inflicting pain, and damaging corporate finances and brand reputations every single day. And it appears that they will continue doing so.
In the latest KPMG Global Pulse Survey, respondents were asked whether 16 different market conditions were worsening, staying the same or improving. What looks the most bleak? “Cybersecurity threats,” with 57 percent saying the threats would get worse over the next year.
Less Talk, More Action
There is good news. That same survey indicated that, by a wide margin, respondents believe that today’s cybersecurity strategies, plans and resources are “for real” and “more action than talk.” And even more see that becoming so over the next three years.
So what kind of proactive plans and strategies are organizations making? Where are they deploying their key resources?
A lot depends on the organization, but at a high level, businesses have three options: make their own plans and defend themselves, work with outside partners and providers, or do some combination of the two.
The hybrid approach make sense. Business leaders often want to retain control in areas such as governance, risk mitigation, architecture and public relations, but outsource less strategic parts of a plan -- especially those involving routine operations, monitoring, patching or requiring specialized skills.
Five Reasons to Work with an MSSP
There are other reasons why going alone in the security arena is a non-starter; or on the other hand, why working with a managed security service provider (MSSP) is a good idea. Here are five:
Human factors. Are people an IT problem? In a 2018 IDG Connect Survey conducted for NTT Communications (the company I work for), 45 percent of respondents said that “people issues” are the biggest challenge of managing in-house IT. When you consider what’s involved in hiring, training, retaining, budgeting and more, it makes sense. And finding the right security skills is becoming an even more difficult task. According to Frost and Sullivan, there will be a 1.8 million global cybersecurity worker shortage by 2020.
Technical limits. With everyday operations still dominating in-house IT, despite what may be a CIO’s best intentions, there is little time left to innovate or explore new technologies. This has security implications. Is Blockchain an opportunity or a threat? In what ways? What about IoT? Or consider SD-WAN, a networking technology that is enabling application workloads to move into the cloud. Plenty of companies can sell you the technology, but how many are able to secure it? Can you?
Regulatory compliance. The EU’s General Data Protection Regulation (GDPR) drew a lot of attention last year, but laws in Germany, Australia and China have also arisen, requiring companies to become experts in a global web of penalty-enforced cybersecurity regulations. The U.S. is also considering a national data breach law that could require hacked companies to take particular actions. Going forward, government relations is going to include a security component that calls for a rare mix of legal, technical and operational skills.
Threat management. How do you become aware of threats in the first place unless your infrastructure, operations and even software undergo testing? It’s hard to do all the assessing yourself. Working with industry organizations to acquire and share threat intelligence is another best practice, but few IT shops are set up to do so effectively. And once you’ve identified threats and vulnerabilities, what then? Some tasks are worth delegating, such as maintaining regular security updates; setting up, practicing and executing a disaster recovery (DR) plan; and examining device logs.
IT workload. It bears repeating that cybersecurity is only one of many initiatives that any full-fledged IT department may be undertaking in a given year. Other projects could range from talent acquisition to AI to research and development (R&D). And that’s on top of regular IT operations. But such a workload can itself become dangerous. Being under pressure to execute a DR plan as fast as possible with limited resources, for instance, may set you up for failure, as quick-and-dirty methods typically lead to risk exposure and sometimes revenue loss. Offloading that task could increase security in numerous ways.
Like it or not, cybersecurity concerns are real, as we learn quarterly, if not monthly or weekly. Being realistic about threats should translate into also being aware of what you can and cannot handle on your own.
Partnering up makes sense for several reasons. A well-established MSSP is going to have a human resources advantage and knowledge base that few organizations can match; its understanding of the threat and regulatory landscape is likely to be more extensive than your own; and its ability to assume responsibility for discrete security tasks can help rebalance your workload, allowing you to press ahead with other important initiatives.