alphaspirit - Fotolia
- Kathleen Richards, Information Security
The rise in attacks and persistent threats has expanded the demand for information security services, with some estimates expecting the market size to double in the next five years. Information security is getting harder to achieve as the complexity of environments and security infrastructure requires skill sets and resources many companies do not have, analysts say.
Regulatory compliance is also driving more companies to consider outsourcing security services, especially small and medium-sized businesses that may not have been drawn to outsourcing security services outside of cloud.
Depending on the provider, companies can "buy" hardware, software and infrastructure along with the specialists to manage these services. Some managed security service providers can also help ensure clients are up-to-date on the Payment Card Industry Data Security Standard, HIPAA and other standards. But strategy implementation is still up to the CISO.
One criticism of MSSPs is that despite increasing levels of specialization, most do not have industry knowledge or understand the business environment like internal staff. (This "failure to understand the business" complaint has also been hurled at many security professionals.) While market analysts forecast that outsourcing security services will continue to increase across numerous verticals, MSSPs are starting to organize their security engineers and analysts into industry-specific teams, according to Jaikumar Vijayan, who reports on the evolving role of MSSPs in this month's cover story.
"The key is putting together a set of internal and external experts so that resources are allocated appropriately to secure your business," Jeff Pollard, principal analyst at Forrester Research, told Vijayan. Going forward, more companies may embrace "expertise as a service" as CISOs seek security analytics, threat hunting and other hard-to-find skill sets.
Persistent threats have caused the U.S. government and private sector to focus on intelligence sharing in recent years, but the framework for how that will happen remains unclear. Frequent contributor Adam Rice, the CISO at defense contractor Cubic Corp., examines the shadowy business of cyber attribution, advanced persistent threat groups and the current administration. If the U.S. government is aware of nation-state hacking against industry—or potential backdoors in widely used technologies from Apple, Google, Samsung and others—what is its role in sharing this information with the private sector?
Also in this issue, contributor Alan R. Earls checks in with Annalea Ilg, the newly appointed vice president and CISO of ViaWest, to find out more about her latest role: It involves strategy and risk management of the cloud security and managed service provider as well as protection of information security services. Columnist and information security technology strategist Marcus J. Ranum catches up with cloud security veteran Chenxi Wang to talk about diversity in the industry and ways to continue to move forward.
Managed security providers and where to start
The pros and cons of relying on a service provider for information security
Why the MSSP market is set to expand