There are four primary drivers for this growth. Firstly, security threats are getting worse. "The threat landscape has become more challenging to combat", notes John Yeo, EMEA director at Trustwave. "Websense expects that cyber-attacks will be on the rise next year resulting in an increase in recognition by businesses for security services," notes Elad Sherf, senior security researcher at Websense. "New technologies and communication platforms are being brought into the corporate environment such as social media, BYOD and mobile applications. These technologies open new security challenges," adds Yeo.
Nor must we forget the ever present APT threat. "Detection may be the hardest thing to do, but when an exploit is found, it's critical a customer does something to act on the information otherwise it's not worth paying for a tool that finds an APT," warns Jason Steer, director of security strategy at FireEye. Detection is indeed the hardest thing. "The 2013 Trustwave Global Security Report revealed that the average length of time before a data breach activity is detected, was 210 days after the initial intrusion," explains Yeo.
Until now, companies' response to this increasing threat has been to install some basic security and hope the breach happens to someone else. But this is increasingly unacceptable – both from the rising threats, and from new government interventions. While the average time to detection is 210 days, Government regulations are demanding improved security (including in some cases 24-hour breach notification) and threatening increased pecuniary sanctions (especially, for example, in the EU's General Data Protection Regulation). There is, explains Matt Hines, product manager at FireMon, "a tremendous amount of external pressure coming to bear on organizations both from the attack landscape and in the form of compliance mandates." Compliance is the second driver.
The third driver is a lack of internal resources. Partly this is financial; but overwhelmingly it is a lack of skilled security staff. "There is a significant skills shortage across the IT industry," explains Yeo. "It is more difficult for businesses to find employees with the skills needed to protect a company’s information against threats that are continuously becoming more complex." Many companies are consequently finding themselves in an impossible situation: a serious and worsening problem that they must by law solve, but don't have the resources to do so.
Against this background, the MSS industry is responding positively with new and improved services. This is the fourth driver, because the MSS industry is providing a solution to an otherwise impossible conundrum. One of the most common predictions is the growth of hybrid MSS. "Not all security services can be outsourced," explains Geoff Webb, director of solution strategy at NetIQ. "We should expect to see an effort to utilize MSS for some aspects of security management, while in-house teams will focus on adding value, providing guidance and ensuring better alignment with the business user, who ultimately foots the bill."
"Based on the security acumen and ability to invest, organizations will start adopting hybrid MSS uses, with a managed services partner teaming with in-house security," suggests Seth Goldhammer, director of product management at LogRhythm. "There will be two types of MSS offerings," agrees Ron Gula, CEO of Tenable Network Security; "those that offer basic security services, such as a managed firewall, and those that offer extremely high-end capabilities such as incident response and APT detection."
"To close this gap," says Yeo, "many enterprises are augmenting their in-house IT staff by adding a third party security team to implement, automate, and manage their security, freeing up staff to focus on business critical operations, whilst remaining confident that they are protected."
There is a fifth argument for MSS. It is not so much a driver as an effect: the more it is used, (potentially) the better it gets. "The differentiation with MSSPs in 2014 will be how they have leveraged big data and analytics to synthesize intelligence from the entire community," explains Lancope CTO TK Keanini. "This crowd sourced intelligence is unique to an MSSP and the larger the community, the smarter the crowd."
Garry Sidaway, global director of security strategy at NTT Com Security, believes the power of this large scale crowd sourced security will be sufficient to pull companies through a short term reliance on hybrid solutions to a Golden Age of widespread, largescale managed security services. 2014 "will be when we truly see a shift in managed services that are able to manage the complete business from on-premise and hybrid models to internet data centers and the public cloud," he explains. "We will see the focus on advanced correlation of events across multiple business areas and domains, with the focus on detecting advanced malware. There also has to be a shift away from simple device monitoring and management, whilst this is still of huge value, it has to be combined with collaboration and advanced correlation to effectively take back control of the cyberthreats."
The bottom line, however, is simple. MSS will grow in 2014 because it provides an affordable and efficient solution to an otherwise intractable problem: the provision of security with minimal in-house resources. "Managed Security Services helps businesses increase their productivity because it allows business leaders to focus on what they do best, run their business, while the security experts focus on security," says Trustwave's Yeo.