Cybersecurity services are at an inflection point, where they are no longer "nice to have" but "must have" for security teams. Migration to digital and cloud-driven architectures, continued lack of resources, and rapid growth of breaches escalate the need for an objective service partner. Admittedly, I’m a services wonk, and see all markets through the lens of services, but it’s obvious that complexity and overwhelm abound as a myriad of new security solutions confuse the market annually at conferences. (Speculation about this year’s RSA “theme” is rife on LinkedIn.) Security teams are challenged to manage security effectively, and to negotiate business against risk. The evolution of this market necessitates services that drive assessment and rationalization of existing security programs rather than adoption of new technologies. It also demands preparedness.
I am a big believer in the Boy Scouts motto, "be prepared.” Some CISOs I chat with have done a brilliant job of designing and following through on a well-architected security program. They’ve brought in experts to review the program, determine its maturity, and are working a resulting plan to fill the gaps. These on-target executives are also prepared for the inevitable breach. Many CISOs are doing the best they can with what they have, but are behind the eight ball and running against budget challenges, resource constraints, and overwhelming complexity. Securing the organization has always been hard, but given the rapid move to modern architectures and an adversary who is always ahead, the situation is increasingly daunting to navigate.
In addition, security is no longer a back office affair. Boards and executives ask on a daily basis, “are we secure?” to which the answer has to be “yes, kind of.” As the veteran security folks know, security is a balance of risk versus business operations. How much risk are we willing to embrace in order to not slow the business down, work within the granted budget, and save enough for emergencies? Few CISOs are starting to measure the risk versus investment ratio to engage upper management’s assistance with this delicate balance.
All of this is hard, which is why security teams need budget to hire services firms. Service providers perform program and architecture assessments, maturity assessments, and vulnerability and penetration testing to determine the current state of security. Some service firms design migration plans to the cloud and digital business while incorporating necessary security milestones to ensure the business’ safety. Responders help prepare the organization with breach readiness programs to develop and practice incident response across the organization. And managed security service providers offload management and monitoring of the security architecture freeing up IT to support the business.
I am excited to join ESG to continue my research in the cybersecurity services market. In this role, I will field surveys that ask users which services are top of mind, which are nascent but important, and which are lagging behind. I will chat with hundreds of service providers, vendors, consultants, and managed security service providers to understand their offerings and assist them with their go-forward strategy. Whether you are a provider or a user, please let me know how I can help.