By Ericka Chickowski 1

The theme of talks in keynotes, session tracks and hallway conversations at Moscone Center last week during RSA Conference was largely one of security shortfalls. The pundits dredged up the horror stories and everyone agreed the industry must do more.

RSA’s Amit Yoran summed up the tenor of the talks pretty succinctly in his keynote.

“The largest enterprises with the most sophisticated, ‘next-generation’ security tools were not able to stop miscreants from making off with millions of dollars, personal information, and sensitive secrets and damaging reputations,” said Yoran, president of RSA, the security division of EMC. “And damn it, they even messed with Seth Rogen! That’s just not cool, man!”

The IT security arms race

All joking aside, one of the big problems is that infosec departments are doing a lot to improve their protections—the issue is they’re not improving fast enough to catch up with the bad guys.

“Our security is getting better.  But the bad guys’ capabilities and the vulnerabilities they’re exploiting are growing faster than our capabilities,” says Ed Skoudis, a fellow at the SANS Institute and founder of Counter Hack. “So, relatively speaking, we’re falling behind.”

The state of IT security

This, in spite of the fact that most IT organizations are throwing tons of money at their security problem. Last year’s RSA Conference expansion of the expo floor into two different wings of the convention center offers ample evidence of that.

“I don’t know of any other industry where we sit around at the world’s largest conference and talk about how  badly things are going and then at the same time we’re seeing more M&A activity in information security than ever before,” says Wendy Nather, research director for 451 Research, explaining that on the vendor front there’ve been 60 deals since the beginning of the year, compared to just 130 in all of 2014. “Valuations are through the roof. So from a money perspective we’re doing well but from an execution perspective, a lot of it still lies in the hands of the users. We’re not giving them enough help with that. But we’re certainly really good at selling things.”

Clearly, there’s a growing cognitive dissonance caused by the delta between the increasing of money flying out the door for security and the continued failure to keep up with the attackers. It’s a disconnect that actually could mean good things for managed service providers.

A high demand for IT security services

The situation is ripe for service providers to help IT departments shrink the gap and rationalize their security spend.

“It’s definitely a call for better services,” says Skoudis, who explains that one of the industry’s big problems right now is the product-focused mentality. “It’s about getting more and better people, skilled people with hands on keyboard who can hunt for the bad guys. CISOs want to buy product rather than hiring more people or even building up their internal people.”

A lot of the problems security has today revolves around a skills shortage. According to survey results released by ISACA at the show, 30 percent of security jobs today remain unfilled and it takes employers an average of six months to fill a job in cyberscurity. And the fact is that IT departments simply don’t have the wherewithal to get into personnel bidding matches or invest heavily in training people.

The MSP opportunity

This is where MSPs could play a critical role—and reap the rewards in return for their efforts. Oil companies, healthcare companies, retail companies and so on don’t see themselves as being in the business of training a corps of security professionals—that’s not their core competency. But it certainly should be one for service providers. Those MSPs and MSSPs that invest in building up and consolidating those skilled people with their hands on the keyboard very well could be the key to solving security’s shortfalls.

Staffing for a new era

According to Dan Burns, CEO of the merged Accuvant and FishNet Security, soon to be Optiv Security, service providers have got to be much more strategic about how they build out their staff. In managed security services, there’s obviously the need to watch costs but if MSSPs are going to truly affect change that need must be balanced out with investment in talent. As Burns explains, that balance is done by seeding the entry-level and mid-level security workforce with very seasoned mentors.

“And I think people will have to start doing that as opposed to just hiring right out of school or hiring relatively young, inexperienced people in to the SOC,” he says. “Again, you need to do some of that, but you’ve got to balance that with bringing in seasoned people that can mentor and bring these people up further.”