A global study of 1,350 business decision makers, the Risk:Value report shows that attitudes are changing towards outsourcing a company’s IT security to a third party as cyber threats continue to evolve, stricter compliance measures come into force, and demands on in-house resources are stretched to their limit.
According to the report, while only 6 per cent of organisations in the UK are using a third party provider currently, 23 per cent plan to use one. Another 29 per cent say they might consider it in the future, although a minority (11 per cent) say they plan to keep their security processes in-house.
Of those UK organisations using or planning to use an MSSP, nearly a third (31 per cent) say it is because of a lack of internal skills and 27 per cent want access to better technology. More than a quarter (28 per cent) of respondents say it is more cost-effective to outsource, although the main reasons for using a third party are for support with data storage (40 per cent) and data management (35 per cent), as well as assisting with cloud migration projects (15 per cent).
Kai Grunwitz, Senior Vice President EMEA, NTT Security, comments: “Many organisations are struggling with a lack of resources, coupled with trying to stay compliant and cope with an increasingly complex security landscape. As threats increase in both complexity and sophistication, corporate IT teams are unable to keep up, and quickly find they lack the skills and technology for early detection and response. Working with a third party security provider not only delivers round-the-clock access to specialist skills and knowledge, but also brings with it the very latest advanced threat detection and analytics technology and capabilities that would be impossible to have in-house without huge capital investment by the business.”
Of those not using a third party provider, around four in ten (43 per cent) say do not want to share information with a third party, while a third (34 per cent) have security concerns. More than a quarter (26 per cent) say they are too expensive.
Citing the forthcoming General Data Protection Regulation (GDPR) as a possible driver for companies working with third parties, Mr Grunwitz adds: “The deadline of May 2018 is not that far away, yet there are a lot of organisations that have still not grasped how important this is, or who think it doesn’t apply to them – perhaps because they’re not based in Europe or Brexit is coming. These are not valid reasons to push it under the carpet. This and the wider governance, risk and compliance (GRC) environment is a huge potential growth area for managed security services providers.”
According to the NTT Security Risk:Value report, only 39 per cent of companies in the UK have identified GDPR as a risk for them, the lowest figure for all of the European countries surveyed.
Global/country figures:
· 44 per cent of organisations worldwide (average across all countries) are using or planning to use an MSSP, with 6 per cent currently using an MSSP and 38 per cent planning to. 28 per cent say they might consider it in the future. While 8 per cent will never use a third party security provider.
· Switzerland and Hong Kong (on 12 per cent each) are most likely to use a third party provider
· Sweden, Germany & Austria and Singapore (all 3 per cent) are least likely.
Industry sector figures (global):
· Financial services companies lead the way in using third parties, with one in ten already using a managed security services provider, while another 43 per cent say they plan to use one
· The report suggests that other sectors are set to close this gap, with more than half (51 per cent) of business and professional services companies interested in bringing an MSSP on board, followed by computer services and technology (49 per cent) and manufacturing companies (42%)
· Just 2 per cent in Government use an MSSP, while 18 per cent never plan to use one.