The size of the opportunity for managed security service providers (MSSPs) has always been constrained by one dominant factor. Far too many IT organizations believe they can adequately defend their organizations despite all evidence to the contrary.
But, a new report from the Information Systems Audit and Control Association (ISACA), which counts more than 140,000 security and IT professionals among its members, suggests large amounts of “security fatigue” are starting to take a toll on internal IT organizations. The authors of the report suggest the root cause of that fatigue is that most organizations can’t find enough qualified IT security professionals to hire. In fact, ISACA finds that a little over a quarter of the respondents can’t fill an open security position at all. About another quarter report it takes them six months, and 55 percent say it takes three months to fill an open security position.
Obviously, many MSSPs are competing with internal IT organizations for the same IT security talent. The difference is most MSSPs pay better because they're building a business around those skills. They also generally provide IT security professionals with access to more advanced tools.
Multiple security challenges
The security issues that IT organizations are wrestling with aren't limited to an increase in the volume and sophistication of the attacks they're being asked to defend against. More organizations are trying to implement digital business models that require much more focus on IT security to protect core business assets. In effect, demand for IT security expertise continues to expand while the supply remains constricted.
Naturally, that supply versus demand equation is inflating IT security professional salaries. A Tech Salary Guide published by Mondo, a provider to IT talent acquisition services, reports that an application security engineer, for example, can make on average anywhere from $125,000 to $210,000 a year. Add in all the other IT security expertise required, and making payroll can quickly become a significant challenge for an MSSP. The good news is the amount of latent demand for their services continues to increase.
Creating opportunities for MSSPs
The challenge most MSSPs have today is getting the opportunity to have a conversation about what services they can provide. While IT security fatigue is on the rise, many IT professionals still view any form of outsourcing as a threat to their existence, so there’s a natural tendency to tell senior executives the IT security situation is under control. Many of those senior executives are equally guilty of being told what they want to hear in terms of trying to keep overall costs down. It’s not until there’s a major security incident that many of them find themselves trying to answer pointed questions from the board of directors as to why IT security was in such a woeful state.
MSSPs clearly have an opportunity to bring some maturity to what is a dysfunctional state of IT security inside many organizations. But as is often the case with most disorders, the patient needs to first be made aware of their behavior and then want to change it. Otherwise, MSSPs simply wind up with another customer that’s simply more trouble than they’re worth. Unlike most doctors, however, savvy MSSPs retain the option of raising their prices to the point where their most troubled patients eventually become somebody else’s problem.