Like all other areas of IT, security professionals tend to be computer science nerds. We love to talk about hardware and software advancement and how it will impact the challenges around the security triad of confidentiality, integrity, and availability. As always, this geeky tendency was on display at the RSA security conference in late February as the industry buzzed about things like streaming processing, Hadoop clusters, new authentication protocols, etc.
No doubt that ASICs, appliances, and software play a starring role at RSA each year but all this attention minimizes an interesting trend in the industry – security service providers are killing it. For example, Dell SecureWorks introduced new services offerings in 2012, plans to expand its service delivery capabilities to Europe in 2013, and is expanding its population of security consultants by 75% year-over-year. Similarly, the manager of IBM’s red team told me that his biggest problem is keeping up with demand. Likewise for the RSA Security CERT folks I spoke with. Oh yeah, all the security service providers I met with did articulate a few common problems – recruiting, hiring, and training new staffers.
This shouldn’t come as a surprise to anyone. In a 2012 ESG Research survey, 58% of organizations indicated that their use of managed and/or professional security services would “increase somewhat” or “increase substantially.” Why? According to ESG Research (note: multiple choices allowed):
- 39% said, “Security service providers can perform certain tasks better than we can.”
- 34% said, “New types of threats persuaded my organization to seek outside expertise.”
- 29% said, “We don’t have enough security staff to handle all security responsibilities.”
- 28% said, “We don’t have specific security skills in house so the organization decided to outsource certain security tasks.”
- 27% said, “Security is not core to the business so my organization decided to seek outside expertise.”
- 24% said, “My organization experienced a security breach which led us to seek out more security services and expertise.”
- 20% said, “We couldn’t recruit/hire enough internal security expertise so we had no choice.”
Yup, there are lots of reasons why organizations are consuming more and more security services and given the global security skills shortage, this will only increase.
Let’s face it, technology is the sexy part of our industry. It’s what drives tradeshows like RSA and gets the Sand Hill Road phat cats to invest millions of dollars each year. This sexiness gives us the misguided impression that technology can do it all. Wrong, wrong, wrong.
Security service providers will continue to succeed because the art and science of cybersecurity has grown so complex that few human beings have the skills, experience, aptitude, and chutzpah to excel in this area. This is the prosaic reality around information security and it always will be.