Throughout many conversations with companies regarding their endpoint management, many, if not all, have expressed interest in outsourcing. There are a variety of reasons for this consideration; however, there are four that seem to be the top concerns.
The concept of paying for a service monthly instead of having to purchase hardware, software, and implementation services and how it relates to both the profit and loss statement (P&L) and balance sheet generally takes the first position.
Look at any industry publication regarding IT security talent and the common theme is the shortage of talent, not to mention the high cost of having that talent on your payroll.
When looking at the costs of implementing a security solution, the hardware, software, implementation, support, and manpower can drive the cost up very quickly.
Lastly, you must consider the monitoring of your environment. Most organizations do not have 24x7x365 monitoring in-house. The ability to react to a security alert at any hour, on any day (yes, holidays and weekends, too) is required these days.
Moving From CapEx to OpEx Models
The idea of moving from a capital expenditure (CapEx) model to an operating expenses (OpEx) model is not new. “X”-as-a-Service has been around for years. No longer is there a need for datacenters on-site, massive computing power sitting idle that costs hundreds of thousands of dollars in installation costs alone. Now, it’s just a simple keystroke to power up and have access to the computing power needed, and you’ll pay for what’s used, when it’s used.
The same pay-as-you-go model is also used with IT security. Most managed security service providers (MSSPs) bill monthly, all while maintaining the security of your environment, thus reserving your capital for investments to work on your business, rather than on security.
New data released this week from CyberSeek, a free cybersecurity career and workforce resource from CompTIA and Burning Glass Technologies, confirmed that the demand for cybersecurity workers across the United States continues to grow. According to their statistics, there were 301,873 cybersecurity job openings in the private and public sectors during the 12-month period between April 2017 and March 2018.
Take a moment to consider what the potential added cost would be to “steal” someone away from their current role to fill one of those openings. The cycle would then continue at some N + 1 pace for salary, bonus, stock grants. MSSPs have a talent pool within their organizations to manage their customers. Of course, they have headcount losses and gains, but it is the MSSP’s responsibility to find, hire, and compensate those employees.
Organizations would have to determine the cost of the software, hardware, implementation services, renewal of products/ services over the lifetime of the solution, and the cost of the personnel required to manage those assets.
For example, if you have an environment with 1,000 endpoints with a cost of $35.00 each, potentially a server or two to manage them and the data they collect at $5,000 each, implementation services at $250/hr for a week, one skilled person per 250 endpoints at a conservative $100,000/yr - the initial investment (not including renewals) is almost $500K, paid all upfront!
And that’s just for your endpoint support. Don’t forget about your firewalls, gateways, filters, and virtual private network (VPN).
Value Added Service Providers
MSSPs are value added service providers - they are responsible for the costs of the hardware, software, implementation, and support. They may also provide more than just endpoint management, but we’ll speak more about that later.
Those people you’ve taken from their previous roles to fill your security roles – are they going to monitor all the collective alerts for your organization, all day, every day? Better yet, does the organization have a Security Operations Center (SOC)? Who is going to respond on Mother’s Day Sunday during brunch? (WannaCry ransomware struck over Mother’s Day Weekend in 2017, affecting more than 200,000 computers across 150 countries.)
That’s where MSSPs can have your back – most have SOCs and provide round-the-clock real-time monitoring of their customers’ environments. Organizations looking to outsource their security can investigate and choose which MSSP would be best for their needs.
An MSSP is a service provider that delivers cybersecurity and management. Their offerings may include virus and spam blocking, intrusion detection, firewalls, and VPN. They spread the costs of doing their business across the breadth of their customer base. Most have built a model that understands the value of their investments and how long those investments have of useful life. The math is calculated down to a monthly fee per endpoint managed. Most are in the single digit range per endpoint, covering all the concerns listed above like firewalls, endpoints, gateways, etc. - and they do it all 24x7x365.
Following the timeless adage of “work on your business not in your business” is how businesses are successful. If allowed the opportunity, MSSPs can replace most of your cybersecurity CapEx spending with an OpEx model. They have talented, certified employees dedicated to the cybersecurity environments charged to them to manage. They are the companies making the high cost CapEx investments to create their unique service offerings. MSSPs take on the responsibility of round-the-clock, real-time monitoring. And they spread the costs of their investments across their entire customer base, allowing those customers to pay for just a portion of the entire investment.
Perhaps now is time to take a look at value of moving to a MSSP?