Security is essentially a cat and mouse game between the lock maker and the lock picker. When you install a new lock on your front door, you gain the feeling of security. But the new lock presents a new game or a challenge for the lock picker. Eventually he will achieve the capability of breaking the new lock and then you must upgrade to a better lock.
Usually Sony Pictures Entertainment Inc. is known for its movies, but recently they made headlines everywhere for a major security breach on their premises. On 24th November, hackers were able to break into the IT systems at Sony and expose critical corporate information that included budgets, layoffs and SSNs (Social Security Numbers), and passwords.
Allegations have been flying that the hackers were working on behalf of North Korea, which has denounced Sony’s upcoming movie “The Interview.” In the movie Seth Rogen and James Franco play the role of TV journalists who become embroiled in a plot to assassinate North Korean leader Kim Jong-Un.
This hacking of Sony’s IT systems illustrates once again that even the most prominent companies in the world are not safe from cyber attacks. Large retail chains, banks, government organisations, and even movie production houses are being targeted on a regular basis. Due to the increasing frequency of attacks the cost of business is rising.
The attack on Sony’s systems underscores the need for organisations to have an extra protection layer in networks where important information is being stored. Jay Heiser, analyst at research firm Gartner, says, “A key problem is making too much data available on one network. Companies today often push for integrated environments, making data available for use by many people on many systems.”
Building base for MSS
Firms too are gearing up to tackle the rising threat. Organisations continue to spend a significant amount on security defences. According to PwC organisations are, on an average, spending about 8% of their IT budgets on security.
Usually, the budget varies from company to company, and is often linked to the size of the organisation and the kind of work that it is doing. Gartner is of the view that the information security budgets should be around 8-10% of the total IT budget. It is also generally acknowledged that the companies located in Asian countries face more risks as their IT budgets are often inadequate.
Thomson Thomas, Senior Vice President -Business Systems & Technology, HDFC Life, explains, “Organisations are investing more on information security. BFSI and small businesses with a turnover of less than $10 million or businesses located in rapid-growth markets report the highest increases as a percentage of their budgets. Although budgets are on the rise, information security functions continues to feel that budget constraints are their biggest obstacle to delivering value to the business. CIOs/CISOs need to do a better job of articulating and demonstrating the value of investments in security.”
On the question of IT budget spent on security Ajay Srivastava, Head IT, Spice Retail (Handset Business), has a different view. He says that only about 2-4% of the total IT budget is spent on security.
Managed security market
After the latest attack on Sony Pictures, CISOs are forced to rethink on their security policy. According to a report by Symantec on Internet Security, large enterprises in India face up to 69% of the overall targeted attacks. There is a rising need for sophisticated managed services that will significantly reduce the time it takes to detect, prioritise and respond to security incidents by producing integration between its endpoint security and third-party network security vendors’ products.
Hence, managed security is the answer to today’s sophisticated threats. Managed Security Services represent the around-the-clock remote management or monitoring of IT security functions delivered via remote security operations centers (SOCs). According to Managed Security Services Market Forecast & Opportunities, 2019, Managed Security Services (MSS) market in India is estimated to be around $251 million in 2014.
Analyst firm PricewaterhouseCoopers (PwC), on the other hand, estimates the global Managed Security market to be around $10 billion. Says Sivarama Krishnan, Executive Director, PwC India, “We expect MSS market to grow aggressively in the coming 4-5 years and swell up to $30-35 billion in the future. The market in India is currently estimated at $300 million. This is expected to grow to $1 billion in the coming five years.”
Vaidyanathan R Iyer, Leader, IBM Security Solutions, IBM India, estimates that the market in this segment will grow at 30- 40% annually, since lot of organisations are taking to cloud and security is their top priority.
Managed security versus on-premise security
Despite most organisations outsourcing their core IT functions like email and payment processing, IT security remains majorly an in-house activity. Concern over allowing third parties access to sensitive data or systems is often the primary issue.
Says Iyer of IBM, “IT security entirely depends on the business requirements of the organisation. Certain critical areas in an organisation will have in-house security for data which they will not want to expose according to their business model and legal framework. Businesses which scale-up will know which kind of service to outsource to a single vendor. So, organisations these days have both in-house security and managed security services. The better option would be according to the business requirement of an organisation.”
Security-as-a-Service (SaaS) provides numerous advantages against on premise security in a number of ways. Firstly, SaaS allows an enterprise to customise and choose the right hardware and software solutions, which, coupled with expert oversight, can help in achievement of reliability in security, without compromising performance and functionality. SaaS also helps in reducing not only capital cost but also the per user operating expenditure. It also offers flexible pricing models, which can result in substantial cost savings for enterprises.
Thirdly, the quick deployment of security services and the ability to scale operations at short notice gives SaaS unmatched advantages over on-premise security. Lastly, defending against APTs requires a lot of technical expertise, which is difficult to find, more so in an on-premise security model. Managed security services have an upper hand in this aspect and can better manage APTs throughout their lifecycle.
It is therefore important to note that initial fears of outsourcing are quickly outweighed by the benefits of cost reduction and service enhancements once they are fully understood. It is clear that there is a major shift towards acceptance of managed security services by organisations of all sizes, across a multitude of industry sectors.
Factors driving MSS market
The financial services sector along with the technology and telecommunications sector continue to be the key driver behind the growth of the Managed Security market. However, with rising number of security incidents and increasing automation in the industrial sector, we can expect other sectors to contribute significantly to the growth.
“Increasing complexity, diversification of information security risks (adoption of BYOD and cloud based models, etc.) and difficulty in recruiting and retaining skilled resources is leading to the growth of the managed security services market in the country. Several enterprises are also challenged on account of the costs of running an in-house security shop,” explains Krishnan of PwC.
Talking about factors that are driving the growth and adoption of Managed Security Service, Tarun Kaura, Director – Technology Sales, India, Symantec, says, “Organisations identify security as a core requirement; however, they do not have the core competency to manage it and hence they are keen to adopt MSS. Secondly, managed security services replace lack of security experts, expensive niche talent acquisition and already over-burdened security staff.”
Also, the organisation’s need to develop a repeatable process for identifying the security incidents and analysing the vast amounts of information created by security products. This they need to do to gain understanding of how the customised, volatile and sophisticated threats drive the need for managed security service.
Challenges in migrating to MSS
Challenges depend on the Service Level Agreement (SLAs) of the company. Companies might retain few of the services and outsource other services to managed service provider. For example, a pharmaceutical company or a manufacturing company may not outsource their design security system as it is a part of their core Information Technology system.
“Defining an SLA is the most important thing. There are lot of things that companies should consider while deciding to migrate to managed security service, like compartmentalising your SLA, what is the kind of security being managed by the service providers, where is the service provider located,” says Iyer.
One has to understand that the quality of the SLA is often a deciding factor in winning and retaining customers. It is important not to confuse an SLA with a service contract however.
Nevertheless, a major deterrent to the adoption of SaaS is limited risk tolerance. Although enterprises today have acknowledged the presence of an ‘alternative’ to traditional security operations, their risk averse nature prevents them from adopting managed security service. The prospect of confidential data moving to/ from SaaS providers seems to overwhelm enterprises.
Also, moving to a shared security model with some aspects of security managed on premise, and some aspects being outsourced, will be the way to tackle the changing threat landscape.
Selecting MSS vendor
An interesting trend that is fast emerging in this sector, is that even though the majority of the emerging managed security services are offered by large single source providers, many small and medium businesses prefer to outsource their IT processes to trusted third parties, which are relatively small players. Explaining this trend, Krishnan of PwC says, “Large single source service providers provide a reliable alternative to on premise security, but charge a slightly higher premium on services. As a result of this, small and medium businesses, look at smaller (but trusted) third parties to manage security.”
“As stated earlier, the movement of confidential data to/ from the service provider is a major deterrent, which is why smaller third parties have been able to attract more business comparatively,” he adds.
Kaura of Symantec is of the view that Managed Security Services consist of around-the-clock remote management or monitoring of IT security functions delivered via remote security operations centers (SOCs). For services like these, an enterprise would have to look out for a single source provider as opposed to multiple third parties, which can provide a broader support covering multiple technologies, have documented standards and policies for handling both typical and atypical operations and threats.
“While choosing a single service provider, enterprises should consider a provider with multiple security operations centres from which they can globally monitor and manage security issues across their client base. In today’s business environment, these centers must be running 24x7x365. Also the technology used to analyse and correlate data collected from multiple devices should support rapid response while ensuring the scalability to support an ever-increasing number of managed devices,” Kaura adds.
What are the companies looking for?
Some organisations may like to save costs by hiring a small MSS vendor, there are others who would prefer to go with the brand. Though there are no concrete analysis of the threat that an organisation may put itself to if it goes with a particular type of vendor, it is advisable that the companies should opt for vendors who have a good track-record in the industry.
Companies are looking at managed security for scalability, flexibility etc., and they will start outsourcing their non-core functions to MSS, though it will take sometime for the core functions to get outsourced. There are large companies like IBM that have themselves taken the responsibility of entire managed service because of the service credibility in the market. There are smaller players too but customers will not outsource their core IT immediately.
“Managed service will co-exist with hosted security for some time more. I don’t think hosted security will disappear so soon. But more and more services will go towards managed services,” asserts Iyer.