Weighing SMB Security Woes Against the Managed Security Promise
Looking strictly at the numbers, it appears small to mid-sized businesses (SMBs) are sinking under the weight of their own IT complexity. To be more efficient and competitive, SMBs are reaching to the same IT solutions that large enterprises consume: hybrid/multi-cloud solutions (61% have a multi-cloud strategy, with 35% claiming hybrid cloud use), remote work tools, and a dizzying array of platforms. But unlike the large enterprise, SMBs often have fewer dedicated information security staff to manage the increasing attack surface these systems create. As if to prove the point, attacks on the SMB are escalating: 66% experienced a cyberattack in the past year, with average incident costs on the rise. In a world where smaller business data is as monetizable as that of the large enterprise, it’s not surprising that bad actors target organizations they may reasonably assume have weaker defenses.
I think it’s safe to say the SMB is keeping pace with their larger brethren in terms of IT complexity (if not scale) but falling short in terms of the methods to keep a handle on it—and they appear to be suffering the consequences.
Are Managed Security Solutions the Answer?
While it appears many SMBs could use a lifeline, the extent to which managed security services (MSS) are that holistic answer requires a deeper analysis of the organization’s unique strengths and weaknesses. Cyber risk is not a simple problem, and solutions are not “one-size-fits-all.” On the plus side, MSS offers companies the ability to quickly augment internal capabilities with a high degree of specialized expertise, tools, and solutions they may lack without having to take on the daily maintenance, hire from a competitive labor pool, or burden existing staff. By outsourcing these capabilities, companies can leverage teams that are highly specialized in security, enabling them to improve their security defenses in key areas at a lower overall cost as measured against the CapEx, OpEx, and time requirements of standing up the same capabilities internally. Any measure of relative costs must also include the value of mitigating cyber risk—such risks, if capitalized upon by malicious actors, carries significant costs of its own.
However, there is a wide range of managed security services out there—and most providers would happily sell them all to every prospective customer. The burden is on the SMB to fully understand whether and in what areas they need that extra support to supplement the tools, people, processes, and capabilities they already have.
Managed Security Services: Assessing for Optimal Value
Most organizations have made investments in information security tools and resources. A few outperformers (usually large enterprises) may already be at best-practice security in many areas, with dedicated staff, their own Security Operations Center and endpoint detection and response capabilities. Such enterprises may have little need to outsource security functions. Others may focus little on security and require across-the-board help. Most organizations will be somewhere in the middle. Ultimately, the goal should be to maximize the use of the investments already made and augment staff with MSS only where you can get the most strategic value for the expenditure.
To begin, organizations should consider executing a security risk assessment—preferably against a security framework such as the NIST Cybersecurity Framework (CSF) or other, potentially required industry-specific framework (HITRUST would be an example in the healthcare sector). These can be conducted in house or via third-party assessment firms. The output should enable the organization to take an in-depth look at their people, processes, and technology and get a realistic view of where their gaps lie. This up-front work should help isolate areas where MSS would be of great value; and it may identify areas where a few investments may be enough to build internal capabilities sufficiently to manage in house.
At the end of the day, businesses must ensure they have enough resources to do everything from basic blocking and tackling on security—such as log monitoring, patching, sorting through alerts (routine, repetitive, time-consuming tasks) to incident readiness and response and security for endpoints, cloud, and Software as a Service (SaaS), among others. Because the SMB is indeed getting vastly more complex and difficult to defend, this span of specialized security requirements is where gaps often will lie in obvious pockets of both tools and people, leaving direct pointers to where MSS can potentially provide a lifeline.
Managed Security Services for the SMB: The Net-Net
There is no across-the-board answer for whether MSS is right for every SMB and which services offer the most value. Yet applied strategically, MSS can greatly help SMBs bridge the divide between their growing complexity (and associated security vulnerabilities) and that elusive utopia called “Best-Practice Security.” MSS providers do nothing but security and can help address the cybersecurity skills shortage. But to find the right services that complement specific resource gaps, enterprises should first fully assess their own security current state to find out where MSS will add the most value.
About the author: Sam Rubin is a Vice President at The Crypsis Group, where he leads the firm’s Managed Security Services business, assists clients, and develops the firm’s business expansion strategies.