Kaspersky’s annual IT Security Economics report revealed the complexity of cybersecurity solutions forced companies to outsource some functions to external InfoSec providers, as the latter have more relevant expertise and can manage the technologies more efficiently than company employees.
A complex cybersecurity solution won’t guarantee the best protection without a competent specialist managing it. A company’s search for such qualified worker is complicated by the global shortage of experts in this field. This fact was quantified by (ISC)² who reported a 3.4 million-worker skills gap in the professional market in its 2022 Cybersecurity Workforce Study. This situation forced businesses outsource certain IT functions to managed service providers (MSP) or managed security service providers (MSSP) to get relevant expertise and up-skill teams.
Kaspersky’s global research, conducted among IT decision-makers, found that 65% of SMBs and corporations said the most common reason to transfer certain IT security responsibilities to MSP/MSSP in 2022 was the efficiency external specialists provided. Among other most frequently mentioned reasons companies also named the need for special knowledges (51%), a shortage of IT employees (50%), the complexity of business processes (46%) and compliance requirements (45%).
The main drivers in outsourcing for MSP/MSSPs
Regarding cooperation with MSP/MSSP, almost 70% of companies stated that they usually work with two or three providers, while 19% say they deal with more than four IT Security service suppliers a year.
Responding to questions about the top incidents deemed complex enough to require external IT-security experts, the respondents named incidents affecting IT infrastructure hosted by a third party (80%), third party cloud services (78%) and virtualized environments (77%). However, bosses find incidents involving the violation of IT security policies (33%) and inappropriate use of IT resources by employees (33%) require less external assistance.
“External specialists can either manage all the cybersecurity processes in a company or just deal with separate tasks. It usually depends on the size of the organization, its maturity, and management’s desire to be involved in information security tasks. For some small and medium-sized companies it can be reasonable not to hire a full-time specialist and transfer some of his functions to MSP or MSSP as it will be more profitable in terms of cost and efficiency. For large corporations, outside specialists usually mean extra hands to help their own cybersecurity teams deal with a large volume of work. However, it is important to understand that in any case the company should have basic knowledge of information security to be able to assess the outsourcers’ work properly.” – comments Konstantin Sapronov, Head of Global Emergency Response Team at Kaspersky.