Seeking more Bang for the Buck, Cybersecurity leaders embrace services
Author: Anthony Chadd, Chief Revenue Officer, Vercara
Cybersecurity leaders are experiencing mounting pressures from all sides. Digitization initiatives propelled by the pandemic continue, yet firms are reigning in costs and reducing staff amidst economic uncertainty. But as budgets and employee rosters contract, the cost of cybercrime is only expected to grow — from a predicted $8 trillion in 2023 to $10.5 trillion by 2025.
The rapid pace of digitization in recent years has dramatically altered the risk landscape for enterprises, and as cybersecurity leaders find their resources reduced, they are seeking effective solutions that make the most efficient use of their funding. For many, the search is leading to managed service providers, which can provide the technological advances, specialized expertise, and increased flexibility that organizations need. Success, however, hinges on vetting and integrating MSPs properly and following best practices across the entire partner ecosystem to mitigate risk.
Pressure from all angles
In a survey conducted by Vercara in November 2022, 35% of IT professionals were concerned about having a larger attack surface to monitor and secure as business operations have become increasingly borderless. Further, for 85% of survey respondents, hybrid work increased their reliance on third-party providers, and 78% of them believed that their organization has been left more exposed as a result.
While information security professionals expressed concerns about greater attack surfaces and risk exposure in the survey, just under half (49%) felt that they had enough budget to fully meet their existing cybersecurity needs. Worryingly, 11% could, at best, protect only their most critical assets. Additionally, 69% felt that budget constraints were limiting the use of new strategies, technology, and implementation practices.
Limited cybersecurity dollars also translate into limited staffing to address security gaps or respond to outright attacks. Already hampered by a global cybersecurity talent shortage, estimated at 3.5 million positions in 2023 according to Cybersecurity Ventures (750,000 of which were in the U.S. alone), some firms have been culling staff to get costs under control, potentially losing key talent that will be difficult to replace in the near future.
Emerging areas of concern
When organizations come under pressure to cut costs, the instinct is often to cut a percentage across the board. While such an approach may be easier to manage and communicate across departments, it doesn’t always consider the associated risks. Faced with cuts, cybersecurity teams may be forced to identify and protect the most visible and business-critical assets. While seemingly a logical step, the risk is high that this approach could overlook assets that may continue to run quietly in the background, leaving an unattended door open for bad actors.
Potential benefits to realize
Introducing services to an ecosystem may involve some risk, but if best practices are followed, the benefits are compelling. For cybersecurity leaders, considering managed security services may enable them to procure critical technologies that address a rapidly evolving threat landscape at a lower cost than what they may be able to implement internally. For instance, firms can leverage the hardware and infrastructure of an MSP without taking on a capital expense that creates an outsized budget impact.
Further, as cyber attackers adapt and advance their methods, technologies to thwart them may become obsolete. By engaging expert services, organizations can access the latest advancements rather than be tethered to outmoded solutions. And, as business priorities change, cybersecurity leaders have greater flexibility to change their methods and scale services, up or down, as needed.
Although cost is a key consideration in the current environment, it should not be the sole factor driving integration of services. Beyond cost, some MSPs can deliver value in the form of superior and ever-evolving technology, high-touch service with built-in expertise in critical subjects, and a commitment to adaptability to ensure solutions will always accommodate an organization’s requirements.
Best practices are key
Third-party service providers themselves are not immune to cyberattacks that can migrate to their customer base, which is why organizations must be committed to conducting strict due diligence before integrating any new partner. Any prospective service provider should undergo a thorough and standardized vetting process, including comprehensive risk assessment and information gathering, such as via obligatory questionnaires.
Cybersecurity leaders may also wish to fold security requirements into contractual obligations, ensuring their rights to audit a partner and their security controls on a regular cadence. Such inspections should be applied to existing partners, as well, and organizations should maintain a complete catalog of all their assets and associated risks.
These best practices will help cybersecurity leaders maintain a clear picture of the state and potential risks of the entire ecosystem under their purview. Adhering to well-defined evaluation and vetting processes for all services and assets in play will enable cybersecurity professionals to stretch their resources advantageously in current challenging times and to remain good stewards over the long term.