By Robert Lemos
Protecting sensitive data and systems is a tough job for large companies, even for those firms with a dedicated information security manager or team of skilled professionals.
For the numerous smaller firms and less-affluent larger companies, it’s a Sisyphean effort, made worse by the current scarcity of skilled security workers. Trained IT security workers are in high demand, with a shortfall of 1.5 million workers expected by 2020, according to market research company Frost & Sullivan. Companies are finding it hard to staff their security teams and protect their assets, says Dan Bonnet, director of small and medium business for Dell SecureWorks in North America.
“Most companies don’t handle security well,” he says. “This problem has gotten so bad, so quickly, that everyone is playing catch-up.”
Big job for small companies
These smaller, forgotten businesses are increasingly turning to managed security services to help them create, deploy and manage their information security programs. They need the help, says Rob Eggebrecht, CEO and co-founder of InteliSecure, a provider of security services. A major problem is that the typical information-technology manager thinks in terms of systems and the network, not about the business value they are protecting, he says.
“They are stretching out their resources to try to protect everything with equal focus,” he says. “Imagine putting soldiers all around the United States, rather than at key points.”
The problems associated with creating and maintaining a solid security program have resulted in a disturbing trend: The severity and impact of security breaches appears to get worse. While the Christmas shopping season hack of Target’s payment network cost the retail giant more than $162 million, a number of possibly more damaging breaches have happened this year. Earlier this summer, the U.S. Office of Personnel Management acknowledged two compromises, including one that resulted in more than 21 million background-investigation records ending up in the hands of attackers. In July, AshleyMadison, a site that allows cheating spouses to connect with one another, acknowledged that information on its 37 million members had been stolen by attackers.
Any business first needs to determine what data and systems are critical and need protection. Next, the company needs to focus existing security technology on monitoring those important assets and managing the existing infrastructure. Finally, companies should focus on incident-response exercises and preventative training, such as phishing-awareness exercises, says Dell Secureworks’ Bonnet.
“SMBs really need to do incident response exercises, because most have never done that sort of security training before,” he said.
The demand for security services has been a boon for companies like Dell Secureworks, InteliSecure, Solutionary and Trustwave. InteliSecure, for example, started out focusing on deploying and managing data loss prevention devices from a few major providers. They have expanded into other services. The complexity of security technology and the need to constantly monitor for threats has made managed security services an attractive option, Eggebrecht says.
Help is lacking
“The reason that our company is growing at a 40 to 50 percent clip is that in the managed security business space there aren’t enough qualified people out there … and many of those who are out there don’t have a clear understanding of what they need to protect, in terms of the business,” he says.
The constant parade of breaches has made information technology managers with security skills a hot commodity. But companies also have to contend with security firms scooping up many of the potential employees. InteliSecure, for example, has grown to 80 people in its security operations center in Denver. Next, it plans to expand to Costa Rica to extend its global reach, but also because qualified people are increasingly harder to attract in the United States.
“We’ve tapped out Denver,” Eggebrecht said.
Managed security services can range from simply training to prevent employees from clicking on links in phishing emails, which can cost less than $1,000, to more complete offerings that manage firewalls and other security equipment and essentially give the business their own security operations center.
Robert Lemos is a contributor to ThirdCertainty.com, where this article originally appeared.