According to ESG research, 82% of cybersecurity professionals agree that improving threat detection and response (i.e. mean-time to detect (MTTD), mean-time to respond (MTTR), etc.) is a high priority at their organization. Furthermore, 77% of cybersecurity professionals surveyed say business managers are pressuring the cybersecurity team to improve threat detection and response. (Note: I am an ESG employee.)
So, what’s the problem? Threat detection and response ain’t easy. In fact, 76% of those surveyed claim that threat detection and response is either much more difficult or somewhat more difficult than it was two years ago. Why? Cybersecurity professionals point to issues such as an upsurge in the volume and sophistication of threats, an increasing cybersecurity workload, and a growing attack surface. Oh, and let’s not forget the impact of the cybersecurity skills shortage. Many firms lack the right staff and skills to make a significant dent in this area.
Rather than deploying yet another point tool or muddle through, many CISOs are turning to third-party service providers for help, making managed detection and response (MDR) one of the fastest-growing segments in the cybersecurity market. ESG research reveals that 27% of organizations are actively pursuing an MDR project, while another 11% plan to pursue an MDR project in the future.
Why organizations want managed detection and response (MDR) solutions
When asked to provide a rationale for MDR, respondents gave the following responses (note: multiple responses accepted):
- 32% say their organization needed rapid threat detection and response improvements and decided that MDR provided a faster path than a homegrown approach. I saw this pattern a few years ago in the healthcare sector after the Anthem breach. Healthcare CISOs knew they needed to move quickly and sought out help wherever they could find it.
- 29% claim that their organization is already working with one or several managed security service providers (MSSPs), so adding MDR seemed like a good business and technical decision. Given the rapid growth in MDR, many service providers (and product vendors) are jumping on the MDR bandwagon and offering a straightforward transition for existing customers. There’s a lot of “try before you buy” going on.
- 28% believe an MDR provider can do a better job of threat detection and response than their organization can. Knowing what I know about cybersecurity, this will be true at a majority of organizations.
- 27% admit that their organization tried threat detection and response technologies but found them to be beyond their abilities, so they turned to MDR as an alternative. At ESG, we’ve run into a lot of failed threat detection and response projects, so this data comes as no surprise.
Let’s face it, threat detection and response requires advanced skills that most organizations don’t have. Additionally, the technologies used for threat detection and response (i.e. endpoint detection and response (EDR), network traffic analysis (NTA), malware sandboxes, threat intelligence, security analytics, etc.) can be expensive and complicated.
Decision time for CISOs
Given this data, it’s abundantly clear to me that lots of organizations will throw in the proverbial towel and seek help from MDR players. As they do, CISOs must:
- Decide how far they want to go. MDR comes in many flavors. CISOs can get help with threat detection alone, get threat detection along with response advise, or outsource the whole enchilada. Do you really trust a third-party to make remediation decisions? How will this play with IT operations teams and change management processes? CISOs will need to enlist the support of CIOs before going too far too fast.
- Consider product decisions. A lot of survey respondents say they want to choose their own threat detection and response technologies and then hire a third-party service provider to manage and support them. This strategy reflects the traditional “best-of-breed” cybersecurity mindset, but it may limit choices. After all, if I pay someone to mow my lawn, I should really care about the quality of the job rather than the type of mower they use. CISOs should cast a wide net, and make their decisions based upon outcomes.
- Develop a skill set around third-party services management. This is where my 30-plus years of IT industry experience is helpful. In the 1990s, large organizations embraced outsourcing, as IT was seen as a cost center. CIOs learned the hard way, however, that without careful, day-to-day, hands-on management, IT outsourcers tended to stick to the letter of contracts and did as little extra work as possible. CISOs looking at MDR solutions must carefully review and negotiate contracts, demand skin in the game from MDR providers, and assign staff members who become accountable for the success of the partnership.