Endpoints, Clouds, and Chaos: Managed Security and the SMB Enterprise Security Challenge

Author: Sam Rubin, Vice President, Crypsis Group December 5, 2019

Managed Security and the SMB Enterprise Security Challenge

I have noticed recently that some of the old television shows are coming back into popularity. The Andy Griffith Show, The Waltons, and others of that era have been popping back up into the Netflix queue. Perhaps it’s because people want to reminisce about simpler times.

In cybersecurity, simpler times were indeed much, much simpler.

I’m sure in some ways, many security pros wish they could wind back the clock and only have to manage the vastly simpler landscape of decades ago. Everything was tucked safely behind the corporate perimeter: Corporate assets were all on premise, with few (if any) true cloud solutions. There were no remote workers with their own iPads and handheld devices to secure, monitor, and protect.

In this vastly less complex landscape, the corporate firewall and end-to-end security tools could be, for the most part, trusted to protect it all.

“Simple” hardly describes today’s organizational security challenge. Not only do organizations face constantly morphing threats, they have greater attack surface and infrastructure complexity to deal with than ever before, with fewer experts to manage it.

For the small to mid-sized business (SMB), the complexity problem is little different than we see in the large enterprise—only an iterative matter of scale. And unlike The Andy Griffith Show, there is no kindly, small-town sheriff able to swoop in and clean up the town in a single episode. Instead, some SMBs turn to managed security services as one solution to relieve the burden. Let’s assess the problem and weigh the potential benefits of managed security for the SMB.

Why the SMB Can’t Escape the Security Complexity Trap

Every organization, regardless of size, is reaching for greater efficiencies and effectiveness and keeping up with the pace of change to stay competitive.

Efficiency tools all have tradeoffs—enabling employees to work in remote locations, stay connected while traveling, and have corporate email on their own devices—all help organizations keep pace with the speed of business but increase risk and security management burden.

IT solutions have also evolved to offer greater efficiency and effectiveness, bringing with them complexity. A typical SMB may have hybrid WANs, a dizzying array of platforms, and DevOps environments and processes that may not be tightly integrated with security functions. And then, cloud abounds—cloud solutions, from Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS) have been incredible enablers for the SMB. They have helped these enterprises almost instantly spin up data processing, storage, and management capabilities.

Yet, each cloud provider has a shared responsibility model for security (read: the customer owns part of the security burden), and these are becoming increasingly complex.

Managing cloud security can require deep expertise, per cloud platform—and SMBs, like their large enterprise brethren, are increasingly likely to have a multi-cloud platform strategy. According to a recent study, 64% of SMB organizations have a multi-cloud strategy.

Geographical site distribution can lead to divergent security practices. This can either be the result of difficulty of oversight or because the location was acquired through M&A, and thus running separate (and not integrated) systems, making them harder to secure holistically.

In short—there is no perimeter today; or, stated another way, the perimeter today is every employee with a device. And managing security for the SMB means managing the esoteric requirements of every cloud provider and every element of this growing complexity.

The Management Challenge: Security Tools and People

This isn’t to say all is lost. Many SMBs are well-funded, have ample, dedicated security staff with a high level of expertise, and are able to manage the myriad of security challenges.

But in our experience, these companies are the exception. It requires a significant staffing commitment: selecting the right security experts with a range of expertise across tools, cloud platforms, and environmental complexity. Today’s security tools are not designed to handle this complexity end to end. Organizations will need to evaluate, weigh, select, and monitor a wide range of security tools. Simply selecting and monitoring these tools requires a high degree of expertise and time.

Therein lies another challenge: By 2022, an estimated 1.8 million cybersecurity jobs will go unfilled, according to ISC2.

The typical internal IT priority is business productivity and continuity—security is often an afterthought. IT teams are pulled in many directions and wear many hats, often co-opted for other “more critical” business initiatives.

It’s essential to ensure full-time, dedicated staff do not let routine-but-essential security operations tasks, such as vulnerability management, fall through the cracks, or allow high-volume tasks, such as wading through alerts, to become so burdensome with other priorities that they are not given the attention needed to secure the organization. The SMB’s data is as monetizable as the large enterprise, so they must be up to the challenge.

Evaluating Managed Security Services as the Solution

For organizations that don’t have either the required expertise or adequate staffing across their organizational security demands, managed security services (MSS) can be a good way to fill in the gaps.

These services allow SMBs to:

  • Gain the expertise in areas they may lack.
  • Increase manpower to address time-consuming tasks.
  • Improve the ability to leverage experts focused primarily on cybersecurity across a range of environments.

Managed security services provide detective safeguards, vulnerability management, monitoring, and analysis services. It can be a more cost-effective model that produces a better overall security posture than trying to over-extend existing IT resources or hire from a dwindling pool of candidates.

This is not unlike the model of cloud computing—enterprises determined they had limited expertise and resources to devote to hosting, customizing, maintaining, and supporting compute services and learned the benefits of offloading that burden to experts who specialize in just these areas.

The Economic Theory of Specialization, first espoused by Plato in the “Republic” (and later embraced by economists), suggests that there can be greater economies and efficiencies gained by focusing on what we do best—and in this case, it may just be the core business, and not managing burgeoning security complexity.

The key to getting the most from MSS is to first identify the threats to your business: where you have gaps in skills or coverage by qualified staff. Then, select a managed security partner that best addresses those areas. For example, if your business relies heavily on cloud infrastructure and applications, such as Amazon Web Services and Office365, find a provider that specializes in these areas.

The simple days of Aunt Bee, Andy, and the holistic firewall solution may be long gone. But despite its complexity, there are other ways to address the SMB security challenge. You may just need a helping hand along the way.

Interested in learning more about managed security systems for your small to mid-sized business? Take a look at these helpful links now:

Topics: Security Insights