According to the 2020 Cybersecurity Workforce Study from the nonprofit security consortium (ISC)2, the shortage of talented cybersecurity professionals, in both the private and public sectors, stands at more than 359,000 in the United States alone and more than 3 million globally. For government, it’s becoming obvious that this is a problem that cannot be solved in the short term via traditional training programs. In addition to ramped-up education and training for existing staff, new options need to be considered.
The pressures on cybersecurity staffs were already intense when the pandemic struck in early 2020 and IT and cybersecurity professionals found themselves working 24/7 to move entire workforces to work-from-home environments. The pace has not let up since. And while ransomware and supply-chain cybersecurity threats have been a growing and incredibly time-consuming problem for several years, the past 18 months have been like the 1849 gold rush for cybercriminals.
Unfortunately, I believe what’s happened over that period is a harbinger of things to come. There are simply not enough qualified eyes and fingers to keep up with the threat space, and the problem is being compounded by the graybeard exodus of retirement and the gap between new people entering the profession and expanding technology training requirements. This problem is having a greater impact on government organizations than on private industry, and particularly at the state and local level where salaries are less able to compete with opportunities in the private sector.
One of the alternative solutions being implemented by state and local governments is the growing use of managed security service providers. MSSPs are companies that specialize in providing security-as-a-service, offering everything from vulnerability scanning and firewall management to risk assessment, threat intelligence, anti-virus services and even cybersecurity training. Essentially, MSSPs can do anything an in-house security team can do, but without the burden and cost of owning security infrastructure and employing and managing more people.
“Finding security talent is a challenge for every industry, and especially for state and local governments,” said Helen Patton, advisory chief information security officer at Cisco. “One way to address this is to use an MSSP to provide threat and vulnerability testing services. An MSSP can make sure resources are properly trained and equipped, leaving the government to focus on risk management and mitigation actions.”
In addition to the everyday management of cybersecurity, MSSP services can leverage their threat intelligence and incident-response expertise to quickly evaluate data breaches and decrease detection times. While no organization can outsource its actual cybersecurity risk, shifting the workload to an MSSP lets the organization focus on understanding and responding to the MSSP’s findings. Among other advantages of MSSPs over in-house cybersecurity operations:
● Due to their vast array of customers, MSSPs must maintain up-to-date technology, including the burdensome and too-frequently-needed patching of software. Out-of-date security software is one of the leading causes of security breaches; it’s very difficult, complicated and time-consuming to manage the irregular and out-of-cycle updates from most technology vendors. This is one of the greatest advantages MSSPs provide to their customers.
● Since MSSPs service a wide variety of customers from all sectors of the economy, they see and employ a wide variety of security technologies. This requires MSSPs to be staffed with experts from every security discipline who maintain a high degree of up-to-date knowledge. Innovations in security technology mean that like most organizations, governments are always behind in their security staff training, which is another major cause of security incidents. Comprehensive security expertise is where MSSPs shine and deliver great value.
● Finally, the economics of outsourcing vs. insourcing allow state and local governments to save on the fixed costs of people and technology. People are one of the most expensive factors in any organization, and the laws of supply and demand are being borne out today as cybersecurity experts command higher and higher salaries. Cybersecurity professionals can leave government for incomes two or even three times what can make in the public sector.
There is always budget pressure on state and local governments, and the costs of cybersecurity are growing in concert with the burgeoning threat landscape. MSSPs are an obvious and comparatively easy solution to address the challenges of meeting governments’ growing cybersecurity demands.
Governing's opinion columns reflect the views of their authors and not necessarily those of Governing's editors or management.