At a recent CIO meeting it was mentioned by one or two representatives, of fairly sizable organisations, that they prefer to work with smaller ICT service providers. The logic put forward was that these smaller firms give more attention to the CIO and their organisation.
A GREAT CUSTOMER EXPERIENCE AS A KEY
In addition to the mentioned attention it is more obvious who to contact and there is more of a personal touch in the interaction and customer experience. This is an important position and perspective for large ICT service providers to consider and reflect on, especially the potential failings of large scale outsource and service integration organisations. So the question really arises: is bigger really better when it comes to service provider organisations?
Turning our attention to security, the question and experience becomes more specific ... and indeed it is true that now and again one comes across an organization (often very large) which has chosen to have a service as important and significant as security provided by a small, specialist security company. Again it is often stated that the smaller company is closer to the operations and insight of the organization being secured.
The problem though is that in such smaller provider organisations the service can be highly person dependent, and there is not always the same depth of support – especially when things go wrong. It was once commented that when things are going well it is fine to have a small service provider, but during an incident or situation where rapid & diverse mobilization is required the processes and experience of a large service provider can be invaluable.
Is bigger really better?
So let’s explore this a little further to see if bigger really is better with respect to choosing a security partner!
Threat intelligence, and awareness of current trends on a massive scale, are a very key point of departure in selecting a security provider who can be proactive and informed with respect to potential or evolving security attacks. Deutsche Telekom (T-Systems’ parent company), for example, as the largest operator in Europe has visibility at any time over the network patterns, activities and pitfalls of several hundred million mobile and fixed-line connections. The scale of anomaly detection, phishing detection, fraudulent domain monitoring, credential leakage detection, potential botnet identification and attack patterns is unsurpassed. And for CISOs who want to sleep well at night, in the knowledge that their security situation is being looked out for and informed by the best visibility in the industry, having a large-scale security provider who can do this is an important confidence point. So from the perspective of threat intelligence and operational insight, bigger is definitely better.
During incident response, it is also necessary to identify, analyse and respond to an attack situation. The scale on which a security organization can launch such support is also dependent on its stature and size. For example bilateral discussions around taking down fraudulent sites, or deploying dDOS protection at a massive scale to outrun spurious traffic is again far better served and possible with large operators who can play at this scale. So from the perspective of incident response and influence or mitigation, bigger is again definitely better.
It is often said that security is dependent on the expertise and skills of experts who are able to analyse and diagnose a situation. Having mentioned that small organisations often have a few key individuals with advanced and fantastic skills, this is no substitute for a network of technical and security experts who can convene at any time of night and day to address a security situation or incident – possibly even anywhere on the globe. Through 24x7 operations, and permanent escalation paths (based on expert roles, not individuals) large organisations are able to retain and deploy their skilled staff at any moment ... and have the processes and reach to resolve situations in a predictable way. So for staff depth and availability, bigger is also better.
From a critical mass point of view, large organisations like T-Systems employ thousands of career security professionals. With this possibility to have a career track in security, and development programmes which lead to highly specialized and well prepared individuals., large organisations can attract and retain security knowledge on a scale which a small organization could not sustain. Being part of a large operational company (for example securing national and international critical communication infrastructures, retail outlets for the group, online services and numerous IT and OT systems) the individuals of such a diverse group also have first hand knowledge and insight (as well as a vested interest) in being completely on top of every evolving security situation. So the broad scale, and potential large-scale operational size, which can mirror what customers also confront, is perfectly understood and similar between a large provider and an organization (in contrast to a small provider which may not have the same level of insight or shared defense reality).
Finally, large security organisations like T-Systems can be part of interesting global or pan-continental eco-systems which can be real differentiators in the innovativeness of their security solutions. For example through its involvement with startups and incubators (like hub:raum in Germany), and the group’s T-Labs, T-Systems has introduced benefits of anomaly detection or user analytics earlier than organisations which are just consumers of other security products. In some cases the venture capital funding of the group is also a way to become actively involved, and ensure that benefit of early insights can be unlocked. So the network and early insights of a large security provider, across many aspects of security, cannot be achieved in a comparable way by a small organization.
For these reasons, CIOs and CISOs who choose smaller organisations to provide their services may be missing opportunities – or in the worst case, badly exposed if or when an incident does occur – and should think carefully before selecting a smaller operator, even though at face value it may seem attractive. There are strong reasons in the security sphere for making the assertion that bigger really is better!!