Companies looking to fend off cybercriminals are turning to third-party firms to help thwart an expanding network of threat actors.
Cybersecurity spending, which encompasses services and products, is expected to grow by 10% to 15% over the next 12 to 18 months, but product spending over the same period will decline 10% to 15%, said Doug Saylors, a partner at research and advisory firm ISG.
The overall increase reflects growth in the services component of cybersecurity budgets, ISG said.
ISG attributes this to an evolving threat environment and digital transformation initiatives that many companies undertook during the pandemic.
Amid economic uncertainty, companies are seeking more efficient ways to manage technology spending, particularly on cybersecurity. Managed service providers help fill talent gaps and manage costs, but that strategy may require additional layers of risk mitigation as the threat environment evolves.
“[Companies] have a large partner ecosystem, which expands your attack surface and makes the skill sets that you need to protect your overall attack service to be significantly larger,” said Saylors. “That's driving organizations to look to managed security service providers to fill that void.”
Cybersecurity services grow amid budget pressures
Despite a belt-tightening across technology expenditures – overall IT expenditures are forecast to increase 0.8% in 2022, according to Gartner – spending on IT services is expected to increase 4.8% this year.
Looking to 2023, spending on IT services is expected to reach 7.9%, as overall IT spending will creep up to 5.1% this year.
Managed-service providers concur that demand for cybersecurity services is growing. Santha Subramoni, global head of the cybersecurity business unit at Tata Consultancy Services, said cybersecurity business units are often exempt from broader budget reductions because of increased requirements.
“Cybersecurity is actually getting special treatment in these recessionary times because of the increased threat perception,” she said, noting that TCS’ revenue from cyber services has increased more than 35% and its cybersecurity services customer base has grown 30% over the past year.
The increase in demand for cybersecurity services, said Subramoni, stems from an amplification of threats emanating from remote and hybrid work situations and pressure from governments to standardize enterprise security approaches.
“The digital footprint of our customers has increased exponentially,” she said. “It's not just the front production environments that are exposed to the internet. Everything is exposed to the internet because of remote working.”
PwC and Google-owned Mandiant also say they’ve seen increases in demand for cyber managed services due to the growth of remote and hybrid work.
A growing number of PwC clients are looking to separate their IT managed service providers from cyber managed services because “they are seeing greater value in the separation of duties, both through a lens of greater risk mitigation as well as better specialization,” said Joe Nocera, cyber, risk and regulatory marketing lead partner at PwC.
Talent gaps
A lack of available workers with cybersecurity expertise is pushing companies to use managed-service providers.
There are currently only enough cybersecurity workers in the U.S. to fill 68% of the cybersecurity jobs that employers demand, according to data from CyberSeek, a platform developed by the National Institute of Standards and Technology, CompTIA and Lightcast.
Mandiant suggested the lack of continuity of staff with cyber skills is driving clients to look to managed-service providers to fill gaps.
“Turnover is a big challenge for clients who already have limited members on their team or gaps in the continuity of certain cyber skills,” said Alan White, head of managed defense at Mandiant. “For example, organizations that need a malware expert may find it difficult to fill that niche role.”
Managed service providers, which are typically equipped with advanced automation, artificial intelligence and machine-learning capabilities, are adept at tapping into talent, especially when companies may have difficulties building technological underpinnings in-house.
These organizations offer experienced employees that companies may be challenged to hire independently, said Craig Robinson, a research vice president at IDC.
MSPs are also coping with capacity challenges. TCS, for example, said it’s using automated tools and platforms to reduce the demand for “crisis cyber-defense,” said Subramoni, who noted that the company is taking a systematic approach to recruitment, training and retention of cybersecurity talent.
MSPs add additional needs
Companies may be relying on managed service providers to oversee a growing portfolio of cyber responsibilities, but analysts say they ought to take certain precautions to minimize the additional risk from outsourcing security to a third party.
One recent example is the Kaseya ransomware attack, in which attackers exploited a vulnerability within the company’s on-premise VSA product, affecting fewer than 60 managed service providers which used the product. The breach opened up opportunities for companies to be attacked through their MSPs.
But the additional risk doesn’t preclude use of MSPs for cybersecurity, especially when organizations don’t have the capacity to mount a comprehensive effort on their own. Saylors recommends companies retain in-house team members that can oversee and collaborate with MSPs.
“We typically advise clients to keep a sizable retained organization that understands … where your highly valued, highly critical assets are and ensure those are protected, and use the compliance function to manage that third party to ensure [breaches] don’t happen,” he said.
A key lesson from the Kaseya attack, according to the company, is the need for a comprehensive strategy that includes access controls and threat detection systems.
“Customers that had advanced endpoint security weren't impacted,” said Mike Puglia, general manager of security products at Kaseya, noting companies that were threatened by ransomware barriers in place like two-factor authentication and requirements to connect to VPNs or corporate networks to get access.
While managed-service providers may be good at acquiring technical talent, organizations should be keeping their finger on the pulse of security strategies, said Robinson.
Some MSPs struggle to find individuals who have more of a consultant skill set, expertise they’ll likely seek to grow through acquisitions.
“You can't outsource the business decisions to an MSP,” he said. “If they're outsourcing a lot of their security needs to MSP, they still need someone tied to the business.”