Why we need MSSP? Managed Security Service Provider & the quest for cybersecurity experts

MarekTrebicki, Cyber Security Services Risk & Control Associate Director, Standard Chartered Bank

A business basis

Be it an enterprise or a small business, these are the two professionals you absolutely need to have – an accountant and a lawyer. One could think they don’t need to be involvedif the business isn’t mature enough.In fact, there are people who manage to grow their business effectively without appropriate consultation and support from these professionals, not knowing what approach would have worked best for their situation. Would that be blessing, luck or simply underestimating the opponent? We won't understand how much it could be messed up in those areas until someone, with premeditation or not, discovers and uses flaws. This therefore may result in extra expense, either having to re-register or to keep maintaining a business with badly managed financial or legal matters. Or, it may as well be too expensive to straighten out. 

'Information Security' being companies’ top priority in post-pandemic era

How about your company’s exposure to global cybersecurity threats, particularlyin post-pandemic era? Is the information your business collects, stores, and processes safe? Same as accounting and law traps, no matter the size of your business, cyber criminals await your dissociation. Tones of home-grown hackers, but also experienced professional teams with prepared tactics & techniques,are looking for opportunities to exploit your data for their financial gain. How would you evaluate your business information value including sensitive data i.e. personally, identifiable information (PII), Personally Identifiable Financial Information (PIFI)? or protected health information (PHI)?

According toa cybersecurity research by IBM, it takes 280 days to find and contain an average cyberattack and the cost of such an average attack stands at $3.86 million*. And still most of these attacks will be undetectable without human involvement. Cyber Defence strategies applied by organizations differ, from one who finish engagement on newly purchased Firewall to ones who ensure continuous improvement. Other takes unambiguous steps. FSO - Russian agency responsible for the Kremlin security decided to avoid cyber related risks and is buying typewriters**. Our risk assessment may however provide other possible recommendations,especially if the organisation must remain interconnected. How about the security services? 

Managed Security Services & Security Operations Centre

When referring to Managed Security Services (MSS), most people imagine them as sort of Round-the-Clock Security Operations Centre (SOC). Cybersecurity-related services, however, go way beyond that and areconstantly becomingincreasingly complex. Core services around Security Incident and Event Monitoring (SIEM), threat and incident response would be just one of many areas where MSSPs are welcomed with their competencies and capabilities. Several MSSPs with different service portfolios constantly rally to invent, update, and smoothly run perfect stack. Their standard comprehensive out-of-box services may potentially address major cybersecurity risks for small firms, making MSS the perfect choice.

However, what may be perfect for small businesses, usually doesn’t match the needs of bigger companies. Due to several different factors, and not always strictly financial ones, SOC together with basic security services are still mostly provided in-house. Companies decide to ramp up their own teams to deeply penetrate organisation without any unnecessary compromises, i.e. providing external parties with access to sensitive information or having to modify processes to let external experts in. Such an approach would be justified and especially crucial if MSS interactions clash with core business activities or become too noticeable. In addition, Internal Security Services may be also tied with different functions or processes across the organisation. But even then, specific MSSs are still being delivered to address niche areas not covered internally yet or where there’s no will to maintain them internally. At the end of the day we are still left with residual risks to be mitigated - potentially with tailored, sophisticated services delivered by specialised MSSPs. 

 

Establishing a successful service

Apart from operational model delivered by internal or by MSSP, Security team shall be the first to know infrastructure perimeters, onboarded cloud services as well as all integrations and interconnections with third parties to secure it from day 1. It shall be also clearly stated what information, systems and processes are most criticaltoallow the service to be aligned with business needs. Such a configuration puts SOC in a great place to become an orchestration platform for other internal and external services. For instance, Software Development Life Cycle (SDLC) with application code reviews, application assessments or even security related training for developers could be one of many cherries on the cake. Another great example is DDOS protection required constantly but used occasionally against actors who are about to paralyze our connectivity or services. 

'Everything is perfect, but there is a lot of room for improvement.'

Considering engagement with MSSP and its perfectly crafted services we can expect protection within strictly agreed boundaries and processes;no more, no less.

What if we would like to accompany it with other contestants' services?Could we expect to have it managed in a similar way as by an internal/central team? There could be a bit more space for service flexibility and customizations. How about disrupting the status quo, moving away from the typical closed siloes model to one that would be more open to collaboration? Improvedinteractions across MSSPs could bring a breath of fresh air. Transparency that is being celebrated by open source would uncover weaknesses andincrease healthy competition.Service flexibility and orchestration opportunities surely could bring more business trust and appetite for MSS.

“Considering engagement with MSSP and its perfectly crafted services we can expect protection within strictly agreed boundaries and processes; no more, no less”

The summary

It is often a question if MSSP is the best solution for organisation at the time or may be security department is justified already. On the other hand, hybrid configuration may be worth consideration to ensure security and flexibility at the same time. The decision-making mechanism is not much different from any other form of outsourcing, where at the end of the day (usually) time and money matters mostly.

Nonetheless, let's keep recognizing cybersecurity threats, risks and strategy, not only as something attached to IT or Security team initiatives,butmake them applicable to the whole organization, from intern duties to boardroom processes.

Read Also

An Alternative Approach to Cyber-Security Structure is the need of the hour

An Alternative Approach to Cyber-Security Structure is the need of...

Michael Somers, Head of Cyber Security, CVS Group
Embracing the Next Generation of Asset Security with AI and IoT

Embracing the Next Generation of Asset Security with AI and IoT

Matthieu Le Taillandier, General Manager for Western Europe at STANLEY Security, now part of Securitas
What Exactly is Non-Financial Risk?

What Exactly is Non-Financial Risk?

Gus Ortega, Head of Operational Risk Management at Voya Financial
#Keeping It REAL With Your Security Vendors#

#Keeping It REAL With Your Security Vendors#

Robert Pace, VP/CISO, Invitation Homes
Security For IT/OT Convergence

Security For IT/OT Convergence

Christopher Nichols, Director OT/ IT Resiliency & Support, Stanley Black & Decker
Security Architecture In Theory And In Practice: Why Security Should Be Considered Among The Main Pillars Of The Organization's Enterprise Architectur

Security Architecture In Theory And In Practice: Why Security...

Marco Morana, Head of Security Architecture,JPMorgan Chase & Co.