By Alexander Moiseev
Outsourcing is a global trend and cybersecurity is no exception. According to Gartner, the managed security service market grew by 6.7% in 2018, reaching $10.7 billion in revenue and is expected to grow further. Both service providers and vendors contribute to this market by offering their customers expertise, intelligence or solutions as a service.
We also work in this way at Kaspersky. The development of our services has already been one of the company’s strategic priorities for several years. Just recently we announced new services that deliver intelligence about vulnerabilities and threats to businesses.
In my everyday life, and I bet the same is similar for many people nowadays, using different services is on par with eating breakfast – it is something we simply take for granted. Taxi services, food delivery, housekeeping, buying gifts, organising sport training sessions or trip planning – all of this can be outsourced.
Advantages of outsourcing can also cover many business needs. But holistically, they are all implemented to overcome three major challenges – lack of internal expertise, poor budget planning and control.
Outsource to afford more
Many services can provide us with more than we could otherwise afford. For example, to eat different meals with a variety of ingredients every day, a person needs to spend a lot of money and time buying exclusive products or going to expensive restaurants. Instead, there are food delivery services available that provide new dishes each day in accordance with the customers’ tastes and for a better price. With car sharing, anyone can drive an executive class of car, even if he or she cannot afford to buy their own.
IT services work the same way for businesses. Suppose a company needs to expand its data center. This company will have to buy servers, find more space in the data center and spend time on deployment. Alternatively, it can purchase workloads in the public cloud and save money it would have otherwise wasted with on-premise infrastructure. Another example is a security operation center for advanced cyber-protection. Building an internal SOC demands investment in personnel, processes, detection and response technologies. Alternatively, managed service providers and vendors offer SOC as a service with a dedicated team of experts, protection solutions and threat intelligence.
Outsource to get expertise
One of the problem areas for companies is the lack of internal expertise. One in three CISOs (70%), for example, say that it is difficult for the company to find experienced cybersecurity professionals, according to the 2019 Kaspersky report titled “Cybersecurity through the CISO’s eyes: Perspectives on a role”. In our everyday lives, we often approach dedicated experts when we don’t know how to do things – from fixing something at home to solving personal legal and financial issues. This approach should work the same way in business.
Mid-level employees, who bear the brunt of cybersecurity tasks, are in fact a key element in IT security decision-making. It is they who assess protection demands and recommend what solution is needed. To do this properly, there should be several experts, just like there would be in a medical council, to work together to find the best solution.
Now imagine that the company does not have enough employees and they are overloaded. Or they do not have enough skills in some areas, like cloud computing or IoT security, to work effectively. Outsourcing can be a way out. Service providers accumulate cybersecurity expertise and are focused on the quality of services, because their revenue depends on their customer satisfaction rating. The service market has become very competitive. According to Ami Partners’ evaluation, the number of MSPs is expected to almost double – from 48,000 in 2016 to 74,000 in 2021. This means providers’ knowledge and reputation needs to maintain a high level to keep clients.
Enterprise-level companies already take this proven path; at least half of the CISOs (55%) we interviewed confirmed that they solve the personnel problem with the help of outsourcing. For SMBs, this should work even better, because they are often even more limited in human resources for IT security.
Outsource to keep budgets under control
Another big benefit of cybersecurity outsourcing is facilitating necessary, but very important, resource planning. This can work for companies that, for example, struggle to define exact costs because they have not yet developed a budget planning process for IT and IT security.
By purchasing cyber-protection for endpoints as a service, an IT security administrator knows exactly what they will receive, how much it costs and how long the service deployment will take. This is the key advantage of outsourcing – transparency and clarity, predictable results and a predetermined cost.
Another outsourcing scenario is when an organisation needs to cut its IT security budget. A company needs to maintain its current level of protection, so the budget should be split wisely. Managers should clearly understand how much they spent and what they receive for the price they are paying.
Are businesses ready for these opportunities?
I’ve got an interesting insight that today, despite the benefits described above, cybersecurity outsourcing in some cases is considered by companies as an option during difficult times, for example, when budgets are limited. On the contrary, companies with growing IT investments strive to increase internal expertise and solve security problems internally. Perhaps they still feel uncertainty towards service providers, or they think that internal resources are easier to control.
At the same time, within our channel, we already observe that the managed service market is moving towards the development of narrowly targeted services. Providers are honing their expertise and the level of provided services. If companies develop such narrow expertise internally, it will most likely be unprofitable. Therefore, we will probably soon see the opposite situation occurring, where the more a company invests in cybersecurity, the higher the specialised and effective services it consumes from the outside.
(Alexander Moiseev is the Chief Business Officer at Kaspersky).