It’s taken a while but Canadian CISOs are increasingly outsourcing elements of IT protection to managed security service providers (MSSPs).
The logic is inevitable: Faced with attackers who are well funded — sometimes by nation states — while their own budgets are constrained, and with no assurance that any combination of defences will set up an impenetrable wall, infosec pros need help.
In fact, a recent IDC Canada survey of 178 security professionals noted 61 per cent said the biggest reason they chose an MSSP is because the provider can offer staff round the clock.
The second biggest reason is security isn’t a core to the business (39 per cent), while 37 per cent cited “staff knowledge of security threats,” and one-third admitted they don’t have the needed technology.
The cost of providing the best security was only cited by 27 per cent of respondents.
Mark McArdle, chief technology officer at eSentire, a Cambridge, Ont.-based MSSP with offices in the U.S. and Europe, noted in an interview that regulators are also increasing pressure on CISOs to improve security. Last year, he noted, the U.S. Securities and Exchange Commission (SEC) circulated a 28-question survey to 50 publicly-traded financial institutions asking how they handle risk management.
Filling out the questionnaire isn’t mandatory for other firms, but since then McArdle has seen a number of customers how they’d answer the survey.
So MSSPs, who offer a wide range of services from merely monitoring data flows to taking complete control over security, are becoming the best friends of some CISOs.
There are also a wide range of providers, including telcos, leading IT technology companies and their channel partners, pure plays and startups.
A recent IDC Canada survey identified 12 of the biggest: Four of them are what it calls market leaders based on the breadth of their offerings– telcos Telus Corp. and BCE Inc.s’ Bell Canada; consulting firm CGI; and vendor IBM Canada.
The other eight are what it calls major players, including Dell Canada, Toronto-based Herjavec Group, Vancouver’s IPS Inc., Above Security (which in December bought Dallas-based Securis), eSentire, Manitoba Telecom’s Allstream division, the Canadian division of India’s Wipro Ltd., and integrator Scalar Decisions Inc.
There are many other smaller providers who may offer services equal to these. However. experts warn that, like any service providers, CISOs have to ensure outsourcers can offer service level agreements, key performance indicators and reference customers to make the most of their investment.
Focusing on log reporting won’t help real-time response, cautions McArdle. A useful service has to manage threats, not logs.
For some customers, ownership is important. John Proctor, vice-president of global cyber security at CGI, noted that since the revelations of the reach of U.S. intelligence and law enforcement agencies his firm is seeing business from organizations that want a provider based here.
Not surprisingly, because Canada is largely a nation of medium-sized organizations these are the “sweet spot” being targeted by MSSPs, report co-author Kevin Lonergan an IDC Canada infrastructure solutions analyst said in an interview.
However, Michael Argast, director of sales engineering and enablement at Telus Security Solutions note that “even large enterprises realize that information security is complex and specialized enough that it’s hard to do well with their internal staff..”
Typically, Argast said, Telus customers are outsourcing vulnerability management, security information and event management (SIEM) solutions. There’s also interest in identity management because organizations are increasingly going across multiple public and private clouds.
Steven Leo, IBM Canada’s business unit executive for security services, said many of its customers are looking for almost turnkey solutions, having already made a substantial investment in their networks. So often they outsource the day to day oversight of security monitoring and management, while keeping control of threat assessment.
While Canadian organizations generally subscribe to traditional services such as hosted email and Web security, managing firewalls, IPS/IDS and unified threat management devices, Leo said, there’s also demand for SIEM) solutions to give IT greater visibility into what’s going on in the network.
At CGI, Proctor reports that network monitoring and incident response as a service are “flying off the shelf.”
But IDC’s Lonergan says leading companies are increasingly investing in threat intelligence services as a way of going beyond monitoring and adding value for customers.
For example, McArdle said eSentire will shortly launch a service called Targeted Retrospective Analysis Platform (TRAP), that will apply threat intelligence to the customer network traffic his company records.
It will allow eSentire to re-evaluate threat risks — for example, between the time a vendor issues a software patch and an organization applies the fix. Pricing has yet to be announced.
Giovanni Sansalone, Bell’s director of product management for security, said in an interview the company is putting the finishing touches on a cyber threat intelligence platform whose output will both be added to its managed services or sold as a special service.
Bell plans to have it on the market by the end of the year.
Telus, Argast said, already offers an Intelligence Analysis service which layers on top of an organization’s SIEM to provide actionable intelligence from the dark Web.
“In the next few years what will really show who’s in the lead will be the next generation of threat intelligence platforms,” says Lonergan. “It’s really early, everyone’s playing with them… that will be the differentiator three to five years from now.”
While turning to an MSSP solves a number of problems, it also highlights the fact that  Canadians organizations still admit the majority of their employees receive little to no security training, he added.
In that sense, buying security as a service “alleviates a lot of stress from the IT staff in general,” Lonergan said. It makes things more secure, makes the overall IT budget go further.
After all, he pointed out security is “the hardest thing to keep up with, and one slip-up and obviously it’s a really big problem.”