More companies worldwide are looking to outsource their IT security to third parties, although there is resistance to that option from many companies on security grounds.
The 2017 Risk:Value report from NTT security, released this week, finds that 44% of a sample of large organisations in nine OECD countries (plus Hong Kong and Singapore), are using or planning to use a Managed Security Services Provider (MSSP).
6% are currently using an MSSP and 38% plan to, the data show, while 28% say they might consider it in the future, and 8% say they will never use a third party security provider.
The report’s authors surveyed 1,350 non-IT business decision makers in the US, UK, Germany, Austria, Switzerland, France, Sweden, Norway, Hong Kong, Australia and Singapore. All organisations surveyed had more than 500 employees and were selected across core industry sectors including retail.
The report shows attitudes are changing towards MSSPs as cyber threats continue to evolve, stricter compliance measures come into force, and demands on in-house resources are stretched to their limit.
Switzerland and Hong Kong (on 12% each) had the highest proportion of respondents using a third party provider. Sweden, Germany, Austria and Singapore (all 3%) had the least. 6% of organisations in the UK are using a third party provider, while 23 per cent plan to use one. Another 29% say they might consider it in the future, while 11% say they plan to keep their security processes in-house.
Of those UK organisations using or planning to use an MSSP, nearly a third (31%) say it is because of a lack of internal skills and 27%want access to better technology. More than a quarter (28%) of respondents say it is more cost-effective to outsource, although the main reasons for using a third party are for support with data storage (40%) and data management (35%), as well as assisting with cloud migration projects (15%).
Kai Grunwitz, Senior Vice President EMEA, NTT Security, comments: “Working with a third party security provider not only delivers round-the-clock access to specialist skills and knowledge, but also brings with it the very latest advanced threat detection and analytics technology and capabilities that would be impossible to have in-house without huge capital investment by the business.”
Of those not using a third party provider, around four in ten (43%) say do not want to share information with a third party, while a third (34%) have security concerns. More than a quarter (26%) say they are too expensive.
Citing the forthcoming General Data Protection Regulation (GDPR) as a possible driver for companies working with third parties, Mr Grunwitz adds: “The deadline of May 2018 is not that far away, yet there are a lot of organisations that have still not grasped how important this is, or who think it doesn’t apply to them – perhaps because they’re not based in Europe or Brexit is coming. These are not valid reasons to push it under the carpet.”