Organizations of all sizes are increasingly turning to managed security service providers (MSSPs) and managed service providers (MSPs) to supplement their internal IT security teams, a new study of more than 5,000 IT professionals found.
Roughly 70 percent plan to outsource security to an MSSP or an MSP during the next 12 months, based on the results of Kaspersky’s Global Corporate IT Security Risks Survey. The report is the fourth in a series on IT security economics from security provider Kaspersky. Nearly three in four of those companies turning to MSSPs or MSPs said that outsourcing could reduce their security-related costs, the study indicated. Moreover, 22 percent of small- to medium-sized businesses (SMBs) and 26 percent of enterprises pointed to outsourcing as a top reason for reducing their IT security budgets, the study said.
Chief among the reasons why organizations in the study rely on MSSPs and MSPs is they command special expertise, an indication that the employee and skills element is also a prominent factor, Kaspersky said. Other reasons in addition to financial effectiveness and specialty requirements include the complexity of business processes (41%), scalability (34%), compliance requirements (38%) and the efficiency of delivering cybersecurity solutions (50%). On the other hand, organizations recognizing that working with MSSPs involves more than simply saving money is “very much a burgeoning recognition,” Kaspersky said. Only two percent of both SMBs and enterprises are currently involving an outsourced MSSP or an MSP in their IT security operations.
Additional findings from the study include:
- Half (52%) of enterprises and 45% of SMBs have a dedicated IT security department.
- 20% of enterprises have an internal security operations center and 14% employ a special malware analysis team.
- 44% of enterprises have a security function that is managed as part of a wider IT department, compared to 50% of SMBs who rely on this particular set up.
- High workloads (41% overall and 46% in IT security roles) is the primary reason given for leaving a department.
- IT security specialists spend as much as six hours each week on non-work activities. The most widespread distractions are reading news articles, watching YouTube or TV or exercising.
- While more than half (66%) of threat intelligence analysts participate in a professional community, only 44% of them have ever shared their insights with peers.
- In addition to an SOC, 17% of companies said that they have dedicated threat intelligence teams and 8% employ a dedicated malware analysis team.
- 67% of all businesses expect that their investments into IT will grow in the next three years. Among them, 37% of enterprises are driven by a desire to improve internal specialists’ expertise.
“The survey results show that enterprise cybersecurity departments may come in many forms meaning that their needs and requirements also vary,” said Sergey Martsynkyan, who heads Kaspersky’s B2B product marketing.
The study also uncovered data on the structure of IT security teams, including:
- A combined 58% of SMBs have 25 or fewer employees within IT security and 35% of these have fewer than nine. For enterprises, 14% contain between 250-499 employees across their IT security function. 14% of enterprises contain between 10 and 25 in the same capacity.
- 46% of enterprises have a CISO (46%), as well as additional tailored units, including risk and compliance groups (46%), a security operations center (SOC) (20%), dedicated threat intelligence teams (16%), or a malware analysis team (14%).
To gather data for the survey, Kaspersky interviewed 5,266 IT business decision-makers across 31 countries in June 2020.