SMBs Benefit from Outsourcing Security to MSSPs

SMBs Benefit from Outsourcing Security to MSSPs

By Roger Yu

Payroll. Customer relationship management. Employee benefits.

These are a few of the common cost-of-doing-business functions most companies must expense and which many have chosen to outsource.

You can add network security to that list. In the digital age, all companies must come to grips with rising exposures to criminal hacking; and many, especially small and midsize businesses, are discovering a welcome outsourcing alternative: managed security service providers, or MSSPs.

IT budgets, including security spending, remain tight. Yet most companies, by now, have acquired a portfolio of cybersecurity systems. In response, more niche vendors have surfaced as third-party managers to caretake the security systems companies of any size might find too cumbersome to manage in-house.

MSSPs function as a contracted Security Operations Center, or SOC, remotely monitoring and tweaking security systems for their clients 24 hours a day. Services typically include keeping anti-malware updated; providing secure backup; and carrying out vulnerability patching and web content filtering. They also can administer intrusion detection; manage virtual private networks; monitor firewalls and security gateways; and do post-breach forensic analysis.

It’s “the largest and fastest growing IT security service,” says Steve Kelley, chief marketing officer for Trustwave, which competes in the sector. “Just about any business is at risk.”

In a survey of in-house IT security professionals by Trustwave that was released in February, 86 percent said they either already partner or plan to partner with an MSSP. That was up from 78 percent a year ago.

In 2014, the global market for security outsourcing totaled $13.8 billion, with an annual growth rate of 15.4 percent forecast through 2019, according to tech industry research firm Gartner. A large chunk of it comes from managed security services, which accounted for $7.9 billion worldwide, it says.

With so many security tools and services available, the MSSP market remains heavily fragmented. Some of the household brands—IBM, Verizon, AT&T and Symantec—offer a comprehensive set of services for enterprise clients that have a multitude of endpoints (desktops, workstations and mobile devices).

For example, IBM’s managed security service division handles “threat data from more than 270 million endpoints and manages approximately 25 billion security events daily for clients worldwide,” wrote Kelly Kavanagh and Toby Bussa, analysts at Gartner, in their recent report about the state of the MSSP segment.

Another segment of the managed security market is composed of consulting technicians who cater to very small businesses. These MSSPs are typically mom-and-pop shops themselves with one or two employees who assemble and integrate products developed by others, says Carl Banzhof, vice president of engineering for LOGICnow.

LOGICnow packages and white labels cloud-based security solutions used by MSSPs catering to very small businesses. Banzhof told ThirdCertainty LOGICnow caters to some 12,000 small MSSP shops that collectively help protect about 2 million endpoints, including Microsoft Windows, Apple and Linux endpoints and servers used in smaller companies.

“Typically, the average managed service provider in our space services the client that has between five and 25 desktops,” he says.

Some of MSSPs’ services are more quotidian and may be cumbersome for SMB owners who are trying to focus on other aspects of their business. “You are trying to run your business on a daily basis. You don’t really think about, ‘Oh, I need to update all these Microsoft patches, or I need to update Adobe and make sure my antivirus is turned on,’” Banzhof says.

A challenge in convincing SMBs to outsource IT security services is their tendency to underestimate the risk—the it-can-never-happen-to-me mentality, Kelley says. “Cybercriminals don’t distinguish large and small businesses. They’re looking for the easiest house to rob, not necessarily the nicest house,” he says.

Related story: SMBs let their guard down on security

Some DIY small business owners often select their securityware from a large variety of off-the-shelf products that are installed by one-time vendors. They’re left to their own devices in updating, managing or scaling it as necessary. And they typically lack in-house skills to keep up with hackers’ rapidly evolving tactics.

“There’s a lot of targeted attacks that are happening truly at small businesses now because the attackers realize that there is a certain number of the small businesses that house a great deal of sensitive information that’s more valuable on the market,” Banzhof says.

In shopping around for MSSPs, clients should look particularly for their capability in running remote security operation centers, Trustwave’s Kelley advises. Larger vendors with global operations can provide a more “international flavor” on the threat intelligence from sources worldwide. They have been exposed to more variety of cases that can prove useful to clients, he says. AT&T, for example, runs eight security centers worldwide, according to Gartner.

But “a mere presence of a (center) doesn’t actually mean that the vendor is truly legit. You don’t want some guy coming at graveyard shift looking for the red light,” Kelley says.

SMB owners also would be wise to assess vendors’ experience in handling cloud data. Expanded use of cloud-based computing and responding to it—as well as getting access to those environments—have been challenging for many MSSPs, Gartner’s Kavanagh and Bussa wrote. “MSSP support for public cloud environments is inconsistent and evolving,” they said.

This article originally appeared on