Folks come to cybersecurity services for a lot of reasons, complexity and compliance being two of the top ones. In fact, 40% of respondents to a recent ESG cybersecurity services study state that they need advice on dealing with the complexity from multi-cloud and hybrid architecture. And another 26% specifically call out that they need help rearchitecting their security posture during cloud migration and digital transformation efforts.
With the plethora of regulations we have today and more on the horizon like CCPA (see ESG Senior Analyst Christophe Bertrand's blog about this topic), it’s no wonder that 35% of respondents cite regulatory requirements as a driver and 24% say that these requirements have become untenable for their organization to manage on its own. It used to be that regulatory audits came once per year, but nowadays they are iterative due to the number of standards organizations have to meet.
The breach continues to proliferate and in fact escalate. The adversary stays ahead of us and continues to outpace the good guys and gals. Because of this, savvy executives and boards of directors are asking more questions. And, savvy CISOs are encouraging these stakeholders to become involved in the cybersecurity program. These folks are beginning to understand that we cannot answer the question “are we secure?” in a binary fashion. It’s more nuanced than that. This is driving risk management discussions. Hence 48% of our respondents are seeking advisory assistance to understand security risk within the broader business risk management program and 54% want help in developing metrics to report to the board and executive teams. This behavior, in part, drives the top reason folks are engaging services providers: 42% of respondents are trying to drive understanding and participate in cybersecurity as a team sport. And, indeed, cybersecurity needs to become a cross-functional, all-stakeholders-involved sport.
Beyond the above reasons to engage security services providers, respondents state alert fatigue, a dearth of cyber personnel, and lack of technical acumen to detect and respond to alerts. These lead to outsourcing services like managed detection and response or MDR and managed security services or MSS.