It’s never been more dangerous to be connected to and do business on the internet. Cyber-attacks are at an all time high, businesses are constantly being breached and vulnerable data has never been worth more on the black market.
It’s really not a matter of IF you’ll be attacked but WHEN you’ll be attacked. We don’t like to run around screaming “the sky is falling,” but it’s hard to avoid the truth.
Sooner or later someone WILL try to break into your IT environment.
The problem isn’t that these attacks can’t be stopped, its that there isn’t always someone in an organization there to stop them. Why’s that, you ask? It's pretty simple actually. In-house information security is expensive, information security best practices and defensive measures are hard to keep up to date with and unfortunately… information security needs can be easily overlooked.
Look at what happened when Sony Pictures was hacked in 2014. It was reported by Fortune Magazine that when they were invited to visit the Sony back-lot, Norse Corp, a threat hunting firm/managed security services provider based in Silicon Valley found the Information Security Office to be a ghost town.
Sony Pictures, a subsidiary of one of the biggest, most profitable corporations on the planet had left themselves completely exposed. It wasn’t that they couldn’t stop the malware that infected their network it was that they were woefully unprepared and way too understaffed to protect themselves.
We’ll never really know the reasoning behind WHY Sony decided information security wasn’t a priority for them (It wasn’t discussed in any of the leaked emails that hit the web). We do have a pretty good idea though: the cost of having an in-house, full fledged Information Security team was probably deemed cost prohibitive and they thought they'd get by with what they already had.
(By the way, the damage done by that attack was estimated to cost Sony about $35 million)*
So why is in-house information security so cost-prohibitive? Like any precious resource (and information security is definitely a precious resource) its cost depends on supply and demand. The less InfoSec professionals there are out in the wild the higher the cost is to bring one (or more) on-board.
On average an Information Security professional brings in between $60,000 and $160,000 a year. But even with fairly healthy salaries, the turnover rate is through the roof and not because of ineptitude.
According to Info Security Magazine, 46% of the professionals they polled said that they’d been approached by recruiters to leave their current position because of a more lucrative offer.
If you’ve been in the position where you’ve needed to hire, fire or train an individual you know how stressful it can be. Imagine that happening every six to 12 months in order to fill the same position over and over again. That costs time and money.
So what exactly does a Managed Security Service Provider (MSSP) bring to the table? Three things: Experience, Availability and Cost Savings.
We talked earlier about how hard it can be to keep qualified InfoSec personal on staff. One of the benefits of doing business with an MSSP is they bring their own workforce.
An MSSP can provide not only a host of security services (like intrusion detection and prevention, incident management, managed vulnerability and identity and access solutions), they also provide a level of experience in handling those things that an in-house department might not have.
A MSSP sees problems like DDoS attacks, malware infestations and phishing scams every day. An in-house InfoSec staff member might only see something like that every few months. Repetition of rote tasks lends itself to a more prepared and experienced team of professionals, one of the key benefits of working with an MSSP.
Believe it or not, cyber-attacker’s don’t keep the same schedules you do. They don’t set an alarm to make sure they attack you and your sensitive systems when you’re best prepared to defend them. A cyber-attack can happen at any time, day or night, on a week day or on a weekend.
The problem here is your IT team might not be as flexible as an attacker. A responsible MSSP knows that the bad hombres out there on the web have no set schedule and plan accordingly. With an MSSP you’re protected around the clock, 24x7, not just 9 to 5.
Revolutionary technology allows us to watch your environment like a hawk while you focus on running your business or enjoying downtime with family and friends. You’re covered.
We’ve talked a bit about cost before and how it’s a deterrent to information security. Thankfully an MSSP really can bring that cost down and here’s why: InfoSec is a full time job.
InfoSec, GOOD InfoSec is proactive and time consuming (see Availability) and to do it properly you need to know what you’re doing (see Experience). Seeing as we’ve covered that you might be wondering where we’re going. We understand, as I’m sure you do, experience and availability cost money.
That’s where an MSSP really shines. We know we’re good at what we do. We know we're available to help at the drop of a hat too. Our customers are happy with the services we provide and we like that our customers are happy. The key word there is “customers.”
An MSSP is able to aggregate costs over a customer base (if they’re good at what they do) instead of relying on a set budget or single revenue stream. To do adequate InfoSec work you're looking at a team of two to three dedicated professionals. If you're providing them internally you could be stuck with an annual combined salary of up to $240,000. If that’s something you’re comfortable with, that’s great. Not many people are. A good MSSP can help you avoid costs like that.
So to go over it again, a good MSSP provides you with three things: Experience, Availability and Cost Savings.
If you're considering bringing an MSSP on to work with your business and keep your information systems safe you've probably done some research, and we encourage that. It's not an easy decision to make or take lightly.
*It's a good thing everybody in Hollywood learned from that Sony hack, right HBO? 🙄