Asia Pacific (AP) organizations have historically been slower to outsource critical information security functions, largely due to concerns that letting external parties access internal networks and manage IT security operations exposes them to too much risk. They have also not fully understood the real business benefits of outsourcing partnerships from a security perspective. However, this trend has recently started to reverse. I have just published a report that outlines the key factors contributing to this change:
- Skill shortages are leading to higher risk exposure. Scarce internal security skills and a dearth of deep technical specialists in the labor pool are ongoing challenges for organizations around the world. This not only raises the cost of staffing and severely restricts efficiency, it may also increase the costs of security breaches by giving cybercriminals more time to carry out attacks undetected; at least one study indicates that the majority of reported breaches are not discovered for months or even years. The early adopters of managed security services in AP tell us that external service providers’ staff have more technical knowledge and skill than their internal employees.
- Internal security teams can’t keep up with business change. Businesses are growing and evolving quickly, reacting to more demanding customer expectations. With the pace of business change putting more pressure on the CIO’s organization, building in-house capabilities to monitor and manage IT security around the clock is becoming an unrealistic option for many. In fact, the security operations center (SOC) manager of a global communications company told Forrester that it takes 18 months before a new SOC functions well enough to start providing the business value that the management team expected.
Contracting with a managed security service provider (MSSP) can help improve your security posture without making large upfront investments in technology and resources. Outsourcing has long been a viable option for Western companies; now, AP organizations that face similar challenges also have a list of MSSPs to choose from. While working with an MSSP is a relatively new practice for many AP organizations, there is much to learn from the successes and failures of early adopters. Based on our analysis, Forrester recommends that firms:
- Follow a rigorous process to find the right MSSP partner.
- Document how security supports business objectives before outsourcing it.
- Pay close attention to behavioral factors.
Security and risk leaders — those who have outsourced or are planning to do so — should carefully select vendors and manage the relationship closely to improve the chances of success. To read the full analysis, download my research report: “Lessons Learned From Early Adopters Of Managed Security Services In Asia Pacific.”