Use a Multifaceted Approach to Modernize Security
Our current state of never-ending disruption has created great opportunities for the MSSP market to bring new technology and better solutions to clients than those same clients could implement internally. Be it cloud, containers, DevOps, or overall digital transformation, MSSPs offer the ability for enterprises to get ahead by utilizing external resources.
There is always a cloud for that silver lining, though, and even the most advanced MSSP has to face the reality that security is behind on all of these fronts. It was already a bottleneck in most organizations’ forward motion, but the rate of change simply buried already over-burdened security teams.
This isn’t anyone’s fault, really. Security was becoming more important at the same time that agile and DevOps increased the rate of change, bringing all sorts of new technologies under the auspices of security, and the number of people who were both interested and capable in security was already barely meeting needs in most organizations. Security touches everything, so in turn is affected by every technology advancement — and here we are.
A Resolvable Problem
This ugly scenario is made worse for MSSPs because there are two different types of security to be implemented in a service organization — for the company, and for the clients. This is a resolvable problem, it just needs to be approached as a real problem that can be met with real solutions.
- Automate: Because of the current state of the market, and the large gap between perfected security and existing security, the very first thing to mention is automation. Though security lags behind the rest of the industry, some great automation tools are coming along to help cover the increasingly complex environments that MSSPs are working in. As one example, check out VMware Secure State, which can help lock down both security and compliance for the cloudy parts of your service infrastructure. (Disclosure: Before VMware acquired this product, the author did some work for them)
- Train: Equally important, but more long term in delivery, is to train internal security staff. There are people in your organization who enjoy doing the security bits of the job, and could be trained to do just the security bits. They’re existing employees, so the complex infrastructure and critical issues are already known to them. That makes training in the correct security toolsets easier than bringing in outsiders. And it is arguably more efficient to replace a younger developer or operations person than to hire a highly experienced security person and teach them all the ins and outs of the environment. Simply put, there are two pieces to experience – environment and market. This suggestion is just saying consider training those with environment experience in security as well as hiring those with security experience and training them in the environment.
- Hire: And don’t stop hiring. New blood brings new experiences and ideas to the table. The market is in constant motion, so bringing in someone with a ton of security experience in something like containers might make sense if your organization is short in that area. Of course, every new idea isn’t a good idea, but knowing what’s out there and looking at ways to use it to increase the effectiveness of your security is …