PAT H F I N D E R R E P O R T

Overcome the Challenges of

Building Your Own Cybersecurity
Program with an MSSP
JUNE 2018

C O M M I S S I O N E D BY

© C O PY R I G H T 2 0 1 8 4 5 1 R E S E A R C H . A L L R I G H TS R E S E RV E D.
 About this paper
A Pathfinder paper navigates decision-makers through the issues
surrounding a specific technology or business case, explores the business
value of adoption, and recommends the range of considerations and
concrete next steps in the decision-making process.

About 451 Research

451 Research is a leading information technology research and advisory company focusing on
technology innovation and market disruption. More than 100 analysts and consultants provide
essential insight to more than 1,000 client organizations globally through a combination of
syndicated research and data, advisory and go-to-market services, and live events.
© 2018 451 Research, LLC and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publi-
cation, in whole or in part, in any form without prior written permission is forbidden. The terms of use regarding
distribution, both internally and externally, shall be governed by the terms laid out in your Service Agreement
with 451 Research and/or its Affiliates. The information contained herein has been obtained from sources be-
lieved to be reliable. 451 Research disclaims all warranties as to the accuracy, completeness or adequacy of such
information. Although 451 Research may discuss legal issues related to the information technology business, 451
Research does not provide legal advice or services and their research should not be construed or used as such.
451 Research shall have no liability for errors, omissions or inadequacies in the information contained herein or
for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve
its intended results. The opinions expressed herein are subject to change without notice.

N E W YO R K SA N F R A N C I S C O LO N D O N B O STO N
1411 Broadway 140 Geary Street Paxton House 75-101 Federal Street
New York NY 10018 San Francisco, CA 94108 (Ground floor) 5th Floor
+1 212 505 3030 +1 415 989 1555 30, Artillery Lane Boston, MA 02110
London, E1 7LS, UK Phone: +1 617.598.7200
P +44 (0) 207 426 1050 Fax: +1 617.357.7495

COM M ISSIONED BY TATA COM M U NICAT ION S 2

PAT H F I N D E R R E P O R T : O V E R C O M E T H E C H A L L E N G E S O F B U I L D I N G YO U R
OW N CY B E R S ECU R I T Y P RO G RA M W I T H A N M SS P

Executive Summary
Organizations of every size and in every industry feel the necessity and urgency to strengthen their cybersecurity efforts.
Enterprises have moved beyond simply securing the perimeter and now recognize the need to protect a growing digital
infrastructure that is global, elastic, dynamic and mobile. In this environment, data is perceived as a living entity moving
across systems and no longer contained within traditional boundaries. However, this modern infrastructure brings with it
increased risk, an expanding attack surface and increased complexity that is difficult to secure.
To address these challenges, organizations are making significant investments in security programs. These efforts typical-
ly involve establishing security operations centers, adding threat detection capabilities, creating cyberthreat intelligence
programs, implementing automation and orchestration, investing in advanced security controls, and adding expertise to
cybersecurity teams. Yet building a strong security posture is more complex than implementing any one of these initiatives.
It requires a strategic, integrated, coordinated and collaborative approach to cyber-risk.
Building and maintaining a robust cybersecurity program is difficult and brings operational, organizational and personnel
challenges that lack straightforward solutions. The number of cyberattacks on the enterprise is increasing, while the attacks
themselves become more deceptive and elusive. Furthermore, the rate of adoption of new technologies and computing
models by the enterprise, as well as regulatory and compliance requirements such as GDPR, continue to heighten security
demands on organizations of all types.
Enterprises must approach their security efforts holistically, paying equal attention to people, processes and technology.
This paper examines the challenges that come with building and maintaining an effective cybersecurity program, and it
explores the opportunities, as well as the potential hurdles, around partnering with managed security service providers
(MSSPs) to overcome these challenges.

KEY FINDINGS
ƒƒ Organizations report spending more of their budgets on security, yet are only realizing marginal results.
ƒƒ Enterprises are struggling to adopt and fully utilize the security products they own due to a lack of expertise, inadequate
staffing and tool complexity.
ƒƒ The global shortage of available security expertise may be worse than most organizations realize, and is now stalling
corporate projects and the adoption of new technologies.
ƒƒ Retaining security expertise is difficult, and understaffed and overburdened teams are facing burnout and a poor work-
life balance for security professionals.
ƒƒ Stretched thin by demand, security teams tend to prioritize the urgent over the important, resulting in increased security
incidents and the inability to deliver on impactful initiatives such as automation and orchestration.
ƒƒ While many newer security tools and technologies tout automation and machine learning capabilities, their impact on
the enterprise is limited unless they are aligned with an effective team, tuned processes and a business-driven approach
to cyber-risk.
ƒƒ Many organizations lack dedicated security budgets and an executive leader whose primary responsibility is security.
These shortcomings are hindering organizations’ ability to drive enterprise-wide security strategy, often resulting in mis-
alignment with the business goals and objectives.
Historically, the IT teams at most organizations have been, to some extent, responsible for securing the enterprise. These
teams often handled security operations by performing basic blocking and tackling tasks such as implementing and man-
aging firewalls, antivirus, content filtering and other perimeter controls in an attempt provide a baseline of protection to
the organization.
As enterprises look to mature their cybersecurity efforts, building an in-house cybersecurity program with a dedicated se-
curity team may seem like a natural option. However, many organizations head down this path unaware of, or unprepared
for, the challenges it entails – and they are often unwilling to consider partnering with a security service provider due to
misconceptions about loss of control, lack of accountability and visibility, and concerns about poor levels of service.

COM M ISSIONED BY TATA COM M U NICAT ION S 3

PAT H F I N D E R R E P O R T : O V E R C O M E T H E C H A L L E N G E S O F B U I L D I N G YO U R
OW N CY B E R S ECU R I T Y P RO G RA M W I T H A N M SS P

Personnel Challenges
Building a security team is a significant investment that typically accounts for over one-third of security budgets, according
to 451 Research’s Voice of the Enterprise (VotE): Information Security, Budgets and Outlook 2017 survey. Organizations are
finding that recruiting and retaining security expertise can be one of the most challenging aspects of their cybersecurity
programs, often hindering their efforts to protect the enterprise.

G E N E R A L I STS/S P EC I A L I STS
Because security is a multifaceted, multidiscipline domain, organizations often assemble teams of predominantly security
generalists that are capable of addressing a wide range of matters including compliance, policies and common security
management activities. However, these generalized, multidimensional security professionals inevitably become mired in
day-to-day process-oriented tasks and are unable, or unqualified, to focus on advanced initiatives such as threat detection,
risk management and security architecture.
As the work of protecting the enterprise becomes more complex and attacks become more elusive, advanced security tech-
niques that require specialized expertise are essential to minimize risk to the enterprise. Unfortunately, organizations often
find that security specialists with expertise in areas like threat hunting, forensics and security architecture are the most
difficult and expensive roles to fill and retain. Partnering with an MSSP can help address these challenges by augmenting
existing staff with specialized expertise or offloading complex functions such as threat hunting in a completely outsourced
or comanaged arrangement, supplementing expertise gaps and needs that often fluctuate day to day.

R EC R U I T I N G
Filling these critical roles is difficult given the global shortage of security expertise. However, the problem may be worse
than most organizations realize. According to the 451 Research VotE: IT Security, Organizational Dynamics 2017 survey,
over 88% of respondents reported difficulty in recruiting and hiring security professionals. More than 67% of respondents
indicated that they are currently facing a cybersecurity skills shortage (see Figure 1). This shortage is especially widespread
among large enterprises (those over 10,000 employees), with almost 78% reporting a security skills deficit.

Figure 1: Skills Shortage by Company Size

Does your organization currently face a skills shortage in information security?
Source: 451 Research’s Voice of the Enterprise: Information Security, Organizational Dynamics 2017
NUMBER OF EMPLOYEES NUMBER OF EMPLOYEES NUMBER OF EMPLOYEES
1-999 EMPLOYEES 1,000-9,999 EMPLOYEES 10,000+ EMPLOYEES

22%
35% 30%

65%
70%
78%

Yes No Yes No Yes No

This skills shortage is felt throughout the enterprise as the deficiency impedes corporate projects and the adoption of new
technologies. Organizations report that their need for cybersecurity professionals is compounded by current multidimen-
sional enterprise projects (such as digital transformation and cloud adoption) that require new, modern skills.

COM M ISSIONED BY TATA COM M U NICAT ION S 4

PAT H F I N D E R R E P O R T : O V E R C O M E T H E C H A L L E N G E S O F B U I L D I N G YO U R
OW N CY B E R S ECU R I T Y P RO G RA M W I T H A N M SS P

Although the pool of trained security professionals is increasing, demand is still far outpacing supply. The statistics cited
above are increasing quarterly, indicating that the lack of security expertise will be a problem for the foreseeable future.

R E TA I N I N G
As the security expertise shortage persists, organizations are fighting to retain the security professionals they already have
on staff. Not only are these individuals difficult to replace but, more importantly, losing security staff creates risk to the
enterprise as it impedes the ability to prevent, detect and respond to security incidents. A majority of enterprises report
that they will be increasing total compensation for their security teams over the next year largely in an effort to retain
existing staff.
But it often takes more than the lure of additional compensation to retain security talent. The cybersecurity profession
is demanding – teams are understaffed, tools are antiqued, and attacks require 24x7 response – and burnout and a poor
work-life balance are often the result. To increase retention rates, it is essential to provide security professionals with a ca-
reer path, interesting and relevant work, a conducive culture, corporate support for security initiatives, adequate staffing,
and continuing investment in training and education.
Organizations are often surprised to find that staff retention and job satisfaction typically improve after partnering with the
right MSSP. Those MSSPs that deliver security automation and orchestration capabilities minimize tedious (and mind-numb-
ing) tasks, greatly reducing the daily operational grind that leads to alert fatigue and inevitably causes employees to burn
out. Alleviating repetitive, routine tasks and workflows enables staff to focus on more relevant, interesting and important
duties such as innovation, strategy, management and enterprise digital transformation initiatives.

Operational Challenges
As attack surfaces grow and the sophistication and frequency of cyberattacks rise, security operations are strained. The
stakes are high: just one missed indicator of attack can result in a catastrophic breach. Breakdowns in cybersecurity pro-
grams are often the result of many smaller operational problems involving people, processes and technologies.
Daily operational responsibilities have security teams struggling to prioritize time and resource allocation, often con-
strained to addressing ‘high-priority’ or emergency issues over strategy, automation and orchestration, and the remedia-
tion of known threats. Poor time management and the common practice of prioritizing the urgent over the important have
been identified as the source of many security incidents.

B A L A N C I N G S EC U R I T Y VS . C O M P L I A N C E
Excessive regulatory compliance requirements create many operational challenges. Regulations such as HIPAA, PCI DSS,
SOX and GDPR have progressed beyond annual assessments to the point of requiring ongoing, proactive efforts to meet a
growing number of edicts. Many organizations must comply with a mixture of industry-specific, state, federal and interna-
tional cybersecurity regulations, adding a heavy burden to security operations. At the same time, the stakes are escalating
as regulatory agencies and industry groups increase security requirements and levy severe penalties for noncompliance.
To overcome these demands, organizations often adopt one or more cybersecurity frameworks to provide a baseline mea-
surement of security effectiveness and to improve the maturity of security operations. Frameworks such as NIST CSF, HI-
TRUST and CIS Critical Security Controls provide ‘blueprints’ for building security programs to manage risk, reduce vulnera-
bilities, and define and prioritize tasks required to secure the organization. However, these frameworks can be complex (the
NIST CSF framework has over 800 controls) and difficult to implement and manage. As a result, many organizations tailor
frameworks, selectively adopting controls with the intent to add more over time, while still contending with their limited
ability to commit necessary resources, knowledge and skills to effectively implement the partial frameworks.
While some organizations are leveraging MSSPs to free up staff to focus on compliance and implement frameworks, others
are finding that MSSPs can accelerate and simplify compliance management. Although enterprises are ultimately respon-
sible for ensuring that compliance requirements are met, many are leveraging MSSPs to perform a range of tasks like gap
analysis, monitoring/reporting and risk analysis, or even to fully lead their compliance management efforts. Organizations
are also finding that MSSPs often alleviate one of the main drudgeries of compliance – maintaining evidence of compliance
– by providing detailed reports, compliance automation and monitoring, and ongoing testing of security controls.

COM M ISSIONED BY TATA COM M U NICAT ION S 5

PAT H F I N D E R R E P O R T : O V E R C O M E T H E C H A L L E N G E S O F B U I L D I N G YO U R
OW N CY B E R S ECU R I T Y P RO G RA M W I T H A N M SS P

T EC H N O LO GY/ TO O L S
Most organizations report increased spending on security tools, yet are only realizing marginal results. Organizations are
often willing to invest in security controls, but they expect major advancements in effectiveness and efficiency. However,
survey work by 451 Research (VotE: Information Security, Vendor Evaluations 2017) has shown that enterprises struggle
to adopt and fully utilize the security products they have purchased due to a lack of expertise, inadequate staffing and
tool complexity.
Security initiatives are moving away from rigid, perimeter-centric network controls to more comprehensive and dynamic
tools and platforms capable of addressing distributed workloads and data, remote users, mobile devices and the growing
number of clouds in use throughout the enterprise. However, the 2,400+ security technology vendors and thousands of
security products and services in the market today have effectively overwhelmed organizations with too many options,
creating a trough of disillusionment and complexity.
As security teams look to a defense-in-depth approach to protecting the enterprise – implementing protection at multiple
layers, including network, application and endpoints – they end up having dozens, or even hundreds, of security tools in
production from a variety of vendors. These disparate point products often overlap in capabilities, lack integration and
generate an overwhelming number of alerts, making it difficult for security teams to gain the visibility and centralized
management they require. Thus, an unmanaged security solution deployment can induce a false sense of assurance to
some organizations while continuously exposing them to risks. Also, the long list of fragmented security controls in place
increases complexity and the organization’s attack surface as attackers look to exploit outdated software and vulnerabilities
in the security tools deployed.
Attackers are often successful not because they are sophisticated or elaborate, but because they are adaptive and per-
sistent. Therefore security programs and tools cannot be considered as ‘set it and forget it,’ but rather as persistent and
always adapting, too. Organizations must presume failure, constantly examine where failure is likely to occur, and adapt and
evolve to keep ahead of ever-changing threats. Unfortunately, many security programs and tools exhibit short lifecycles
with quick obsolescence – failing to adapt, many become ineffective as the security stack, infrastructure and business all
transform. For a security program to be successful, organizations must take into account processes and tools for protection,
detection and reaction, as well as monitoring threat intelligence in order to proactively adjust, adapt and remain resilient.
MSSPs bring great value to the technical operations side of security, delivering a fully integrated and broad suite of services
ranging from endpoint protection and log management to identity and access management and API security. With scalable
architectures and lower capital expenses, these services can be deployed quickly, protecting both on-premises and cloud
workloads and assets from a unified platform that can quickly adapt to the changing needs of the enterprise. MSSP services
integrate with an organization’s people, processes and technology, dramatically increasing the security posture of the orga-
nization without the vast investment of time and capital required to build similar capabilities internally.

P R E V E N T I O N , D E T EC T I O N , A N D R E S P O N S E
As organizations mature their security programs, they begin to accept that not all attacks can be prevented, making com-
promise inevitable. Preventive controls such as firewalls, antivirus and content filtering are effective at stopping known
‘commodity’ threats, but often fail to successfully defend against new complex and sophisticated cyberattacks. Under-
scoring current vulnerabilities, the 451 Research VotE Information Security, Organizational Dynamics 2017 survey found
that over 50% of organizations say they are inadequately equipped to either prevent insider espionage or defend against
hackers with malicious intent (see Figure 2).

COM M ISSIONED BY TATA COM M U NICAT ION S 6

PAT H F I N D E R R E P O R T : O V E R C O M E T H E C H A L L E N G E S O F B U I L D I N G YO U R
OW N CY B E R S ECU R I T Y P RO G RA M W I T H A N M SS P

Figure 2: Inadequacies in Security Coverage

Source: 451 Research’s Voice of the Enterprise: Information Security, Organizational Dynamics 2017

Preventing/Detecting Insider Espionage 28%

Hackers/Crackers with Malicious Intent 23%

Compliance 18%

Cyber-Warfare 14%

Internal Audit Deficiencies Based on Findings 13%

Other 4% n = 458

While prevention is still important to securing the enterprise, many organizations are shifting their attention to detection,
with the hope of minimizing the impact and scope of compromise through rapid identification and remediation of active
threats. However, developing detection capabilities demands considerable resources and requires focused and specialized
expertise to be effective.
A data breach is a costly event, and as evidenced by several recent well-publicized breaches, failing to respond to security
incidents with speed and efficiency often results in a business situation that is worse than the breach itself. There is a strong
correlation between an organization’s incident response preparedness and execution and how well it will recover from
an incident. Unfortunately, many organizations are ill equipped or completely unprepared to handle security incidents
quickly and effectively. The lack of internal SLAs and the inability to measure and govern response and remediation efforts
prevent many organizations from strengthening their security operations and ensuring alignment with the business.

AU TO M AT I O N A N D O R C H E ST R AT I O N
Automation and orchestration are essential for security teams to scale and respond to incidents quickly. Automating se-
curity processes can improve security operations, enable more efficient use of security staff, enable teams to investigate
more (if not all) alerts, improve effectiveness and efficiency of detection and response, and enable better decision-making.
While automation and orchestration hold the promise to address many of the challenges of cybersecurity programs facing
organizations today, most organizations find implementing automation and orchestration beyond rudimentary tasks dif-
ficult, and they often revert to labor-intensive and inefficient methods to address security issues. The goal of automation
and orchestration is not to remove the human factor from the security equation, but rather to free security teams from
mundane, repetitive tasks so they can focus on strategic initiatives that positively impact the business. To enable this
level of automation, security teams need to have well developed operational playbooks built around consistent policies
and processes that document the best practices and steps for each type of incident. However, even with such playbooks,
enterprises often lack the platform that fuses integrated tools and process execution to bring about the requisite levels
of automation.
MSSPs accelerate incident response with process orchestration, knowledge management, case management and auto-
mation in one platform, reducing the amount of time it takes for organizations to respond to, investigate and remediate
incidents across the enterprise. MSSPs can provide client organizations with cohesive, integrated workflows to integrate
cybersecurity countermeasures and greatly reduce the time and effort required to source, analyze and report on threat

COM M ISSIONED BY TATA COM M U NICAT ION S 7

PAT H F I N D E R R E P O R T : O V E R C O M E T H E C H A L L E N G E S O F B U I L D I N G YO U R
OW N CY B E R S ECU R I T Y P RO G RA M W I T H A N M SS P

intelligence from multiple sources. More than just ‘throwing an alert over the fence,’ MSSPs collaborate with in-house secu-
rity teams to ensure that proper context and severity is established and remediation is completed, taking lessons learned
from each event to refine the entire process and automate wherever possible.

Organizational Challenges
Enterprises consistently point to organizational challenges as one of their top five security pain points. While these chal-
lenges vary by organization, security teams often point to budgets, leadership and executive support as some of the key
obstacles hindering their progress in securing the enterprise.
Over 72% of enterprises across every business size, vertical and geography report plans to increase spending on cyberse-
curity this year. Over 83% of large enterprises plan to increase security spending over the next 12 months, up from 70% in
2017. However, only 35% of organizations have dedicated cybersecurity budgets. Cybersecurity is often part of the overall
IT budget, fighting for the same dollars that are funding digital transformation, infrastructure overhauls and cloud migra-
tion. Dedicated information security budgets enable organizations to track spending on security initiatives, properly prior-
itize that spending, and align it with business priorities.

Figure 3: Executive Security Leader by Company Size

Does your organization have a single executive leader whose primary responsibility is information security?
Source: 451 Research’s Voice of the Enterprise: Information Security, Organizational Dynamics 2017

NUMBER OF EMPLOYEES NUMBER OF EMPLOYEES NUMBER OF EMPLOYEES

1-999 EMPLOYEES 1,000-9,999 EMPLOYEES 10,000+ EMPLOYEES

29%
41%
46%
54%
59%
71%

Yes No Yes No Yes No

The 451 Research VotE Information Security, Organizational Dynamics 2017 survey also discovered that just 70% of large
enterprises and 53% of midsized enterprises have an executive leader whose primary responsibility is information security
(see Figure 3). Security teams lacking such executive presence typically report up through the CIO, CTO, CFO or even COO.
But cybersecurity has become too vital and too specialized to be directed on a part-time basis or to have decision-making
authority reside with an executive who fails to understand the complexities of risk and securing the enterprise. As executive
teams and company boards grow increasingly interested and involved in the area of security, it is crucial to have a senior ex-
ecutive security leader who can contextualize cybersecurity risks within the overall risk management profile of the business
and bring a broad and deep perspective on how to minimize risk to the organization.
While inadequate security leadership has been deemed one of the major factors leading to some of the largest breaches on
record, it also hinders the ability to drive an enterprise-wide security strategy and program, often resulting in misalignment
with the business’s overall goals and objectives. Cybersecurity must be a top-down strategic initiative led by a dedicated ex-
ecutive who can guide the organization through the complexity of security and compliance and unblock political barriers
to securing the organization. Even in the context of effective MSSP partnerships, the right level of governance and steering
is needed from the enterprise’s security leadership to derive the best benefits from these services.

COM M ISSIONED BY TATA COM M U NICAT ION S 8

PAT H F I N D E R R E P O R T : O V E R C O M E T H E C H A L L E N G E S O F B U I L D I N G YO U R
OW N CY B E R S ECU R I T Y P RO G RA M W I T H A N M SS P

Conclusion and Recommendations

It has been said that complexity is the enemy of security, but unfortunately for security teams complexity is becoming the
norm for the modern enterprise. Organizations are rapidly adopting emerging and disruptive technologies, creating an
increasingly complex infrastructure that is digital, edgeless and hybrid. The traditional perimeter is rapidly dissolving, and
the enterprise is moving into a vast digital landscape that spans networks, clouds and geographies, making it difficult for
security teams to map the connected and converged environment that must be protected.
The personnel, operational and organizational challenges facing security teams today are impeding the security of this
growing technology ecosystem. Adoption of disruptive technologies like IoT, blockchain and hybrid cloud will only accel-
erate. In order to prepare the enterprise for the challenges ahead, security teams must look to be disruptive themselves.
Few organizations are able to tackle all of these challenges and mature their cybersecurity programs quickly enough to
keep pace with the increased risks they face. Organizations should find that partnering with a modern MSSP can fill the
gaps in technology and expertise and also support the ability to scale.
Modern MSSPs have moved beyond one-size-fits-all offerings to deliver a range of fully managed, comanaged and bespoke
services. They offer access to cybersecurity experts with advanced skills and tools, providing the flexibility to augment in-
ternal resources or even completely offload specific security functions. Modern MSSPs offer operational transparency and
visibility, enabling organizations to maintain control of the security of their operations and provide accountability. They are
considered trusted partners by many organizations, and provide a high level of collaboration, advanced analytics, shared
threat intelligence and incident reporting, enabling organizations to make informed, outcome-based decisions and focus
their security efforts on strategic initiatives vital to the core business.

COM M ISSIONED BY TATA COM M U NICAT ION S 9

 ABOUT TATA COMMUNICATIONS
Tata Communications is a leading global provider of A New World of Communications™ to
multinational enterprises and service providers. The company leads from the front to
create an open infrastructure, partner ecosystem and platforms for businesses to stay
competitive in this digital age. Tata Communications’ portfolio of services are
underpinned by the company’s leading global network infrastructure. With a strong
presence in both developed and emerging markets, the company is a key enabler of
information and communication technology globally with a broad range of services
including network services; managed security; voice, data and mobility solutions; unified
communications & collaboration tools; content management; media and entertainment
services; and cloud and data centre solutions.

LEARN ABOUT OUR SECURIT Y PORT FOLIO

COM M ISSIONED BY TATA COM M U NICAT ION S 10

Disclaime r: © 2018 T ata Co mmunicatio ns. All Rights Re se rve d. T AT A COMMUNICAT IONS and T AT A are
trade marks o f T ata S o ns Limite d in ce rtain co untrie s.