Source: S&P Global Media Portal/Getty images/667772459.
A study conducted by S&P Global Market Intelligence 451 Research examines the usage of managed security services and managed detection and response in organizations, including which services are employed, the drivers for contracting those services, current pain points in managed security services, the role of managed security services or managed detection and response in incident response, and how generative AI is leveraged in extending services’ capabilities.
The Take
A recent study conducted by S&P Global Market Intelligence 451 Research examined the key benefits that enterprise security managers report from implementing generative AI in their internal security operations. Managed security services (MSS) vendors apply security operations capabilities across multiple enterprises to achieve an economy of scale, enabling efficient coverage by sharing analyst and tool capabilities across clients. Therefore, any SecOps capabilities that can be automated or simplified represent opportunities for security services providers to dramatically streamline and improve MSS delivery.
Summary of findings
The most cited driver for engaging MSS is always-on monitoring (24/7/365), cited by 39% of respondents. Always-on monitoring addresses a fundamental challenge for internal teams unable to offer full coverage via shifts or a follow-the-sun model. Interestingly, another study conducted by S&P Global Market Intelligence 451 Research that is conducted with service providers, in near-complete alignment, notes the ability to provide this level of coverage as the most important aspect of providers’ service offerings for customers. The service provider study also notes the ability to build a scaled security operation across many customers (33%), as well as their role in addressing cyber insurance requirements (21%). Customers cite the ability to supplement personnel (27%) and incident response (21%) capabilities as key drivers, highlighting the dual role that MSS providers play in augmenting staff and monitoring capabilities, as well as providing specialist services, including forensic or investigative capabilities when required.
When asked in which ways they see GenAI or agentic AI benefiting MSS delivery, respondents note increased efficiency in security processes (67%), improvement in security process automation (43%) and reduced human effort in incident response and monitoring (43%). Looking at operations’ overall employee experiences, 40% of respondents believe that leveraging GenAI frees up senior resources, while 34% note it provides junior resources with greater operational guidance.
The arrangement of security services is also partially influenced by organizational scale. For example, managed security information and event management is almost equally likely to be leveraged by organizations with both more and fewer than 1,000 employees, but MDR more often appears in larger organizations. Traditional MSS is slightly more likely to be leveraged by companies with fewer than 1,000 employees. Some of this is linked to internal security team size, which is likely to be larger and more specialized at larger organizations — thus, a requirement exists for a more specialized third-party security services offering.
A top pain point with MSS offerings is the amount of time required to turn assessments into actionable results (21%), alongside familiar security operations issues, including alert fatigue and unclear prioritization of issues (17%). Verifying that contracted services are actually being delivered remains a key issue (16%), indicating MSS companies must clearly demonstrate value through activity reporting. Correspondingly, customers cite difficulty demonstrating a clear return on investment (ROI) for MSS (14%). Service providers note that stronger partnerships with security product companies (65%) would strengthen their offerings to customers, and customers acknowledge that a lack of technology choices is an issue (16%). Service providers would also like better technical guidance from vendors on how MSS should be delivered (54%), stronger integration of security vendor products into their service offerings (48%) and better integration with services and staff to support event-driven responses such as incident response (44%).
Organizations contracting with MSS typically expect that the service provider will be involved with incident response. This could come in the form of operations, such as identifying activities to be investigated in incident response, threat hunting or forensics capacity.
Three in five respondents (60%) indicate that their MSS assisted with detecting or responding to a major security incident for their organization in the last 12 months.
Looking at that 60% population, more than half (53%) indicate that the MSS both discovered and responded to the incident. An additional 29% say the MSS discovered the incident and then handed response activities over to an internal security operations team at the organization. Approximately 9% of respondents indicate that the MSS conducted the forensic investigation itself. Finally, 8% of respondents say the MSS found early indicators of compromise, but it was primarily the organizations’ internal team that responded to the incident.
The Security Talent Gap is More Complicated Than You Think
Want insights on Infosec trends delivered to your inbox? Join the 451 Alliance.
