Source: Svitlana/Technology via Adobe Stock.
A 451 Research, a part of S&P Global Market Intelligence, study explores the primary drivers for implementing managed services, the key pain points security leaders are experiencing with such services, and monitoring characteristics of enterprise security operations centers (SOC).
The Take
Managed security services (MSS) in all its forms — including managed detection and response (MDR), managed security information and event management (SIEM), SOC as a service, and others — works on the premise that a company providing security expertise and person power to multiple customer organizations can develop an economy of scale in a market where both tools and talents carry serious expense. These offerings vary widely, including near outsourcing relationships at smaller companies, sometimes bundled with general IT services; offerings associated with specific tools; and services that augment the capability of internal SOCs. The ability to obtain 24/7/365 security monitoring coverage is the most frequently cited driver for establishing an MSS relationship. Staffing and skill shortages are the second- and third-most-cited drivers; these factors are especially prominent among companies with fewer than 1,000 employees.
Summary of findings
In this year’s earlier budgets study, 20% of security managers said that, among various areas of security spending, MSS would see the largest budget increase for this year. In the current study, 38% of organizations say they have an MSS relationship in place, 15% are piloting such services, and another 9% are planning to enter into a services arrangement in the next six months. The most frequently cited pain point for such services is difficulty defining return on investment. For a larger security organization with a dedicated SOC, where MSS augments existing capabilities, there is a built-in evaluative capability in that working relationship. For smaller enterprises that are more dependent on MSS, and that may receive those services bundled with other IT support, discerning the service level and value delivered can be more difficult.
Data protection and security — two sides of the same coin?
Rounding out the top pain points are alert fatigue and lack of prioritization, and limited technology choices. For the latter, sometimes that is by design. SIEM as a service, for example, typically builds a platform integrating threat intelligence, user and entity behavioral analytics (UEBA), and security orchestration, automation and response (SOAR) offerings, and attempting to support entirely different product stacks rarely allows for a comprehensive offering that achieves the economy of scale necessary for a viable managed service.
About 15% of respondents say they are unable to determine whether the MSS is providing the services contracted for, and 12% note an inability to audit the MSS capabilities. The vast majority (84%) of respondents attempt to independently validate the monitoring capabilities of their MSS provider, by, for example, triggering security events and measuring the quality of responses, including timing. One-third (33%) note that their MSS detected a major security incident in the last year. Among that group, 61% say the MSS both detected and responded to the incident, while 26% note that the MSS alerted the internal security team, who then managed the response.
Services provided by an MSS are dependent on the nature of the relationship, and they are influenced by the size and characteristics of the customer firm. For example, 38% of organizations with fewer than 1,000 employees leverage email security as an MSS capability, versus 27% of organizations with more than 1,000 employees. Use of firewall management as a service is similar. On the other side, identity management and SIEM-based services are more frequently leveraged by larger organizations.
More than three in five (63%) internal SOCs are staffed for 24/7/365 support, meaning they are “on” all the time. Unsurprisingly, teams at larger enterprises are better resourced to achieve this capability. Just over two-thirds (68%) of companies with more than 1,000 employees have “always on” SOC capabilities. More than two-fifths (43%) of SOCs are mostly in-house, while 32% represent a hybrid between in-house and outsourced teams.
Do you have your finger on the pulse of tech trends? Join the 451 Alliance for exclusive research content on industry-wide IT advancements. Do I qualify?
