The MSSP market is crowded, and it’s not easy for a CISO to find the right provider for their organization. There are many factors to consider and making a mistake can be expensive, squander precious time, and may inadequately protect your organization.
Here are some considerations for navigating this landscape and identifying the right MSSP for your company.
Firstly, what is a CISO’s priority?
Partnering with an MSSP is one of the most impactful decisions you can make for your organization, and you need to think foundationally before you can start assessing candidate providers.
Ultimately, an organization looking for an MSSP wants to reduce its risk exposure. For companies that don’t have sufficient budget or a dedicated CISO, the responsibility to effectively reduce this exposure may fall upon the CIO or COO’s remit. Still, anyone tasked with cybersecurity, even tangentially, wants the same thing — risk reduction.
Regardless of corporate structure, the office responsible for cybersecurity must consider how a partnership with an MSSP addresses two of the major risks which can readily be mitigated: Cyber Risk and Organizational Risk.
Cyber Risk (also known as external risk) refers to traditional threats - the insider exfiltrating proprietary data, the malicious denial of service attack, or even a sophisticated exploit which yields remote access for a nefarious entity. Cyber risk or external risk is the vector best mitigated by an MSSP, and likely the reason an organization seeks engagement with a managed provider.
This kind of risk is prevalent and visible. Data breaches, ransomware attacks, and other compromises are regular occurrences now, and the mean time to compromise for an insecure service or infrastructure is falling. In just the first half of 2021, ransomware attacks have increased over 150% compared to the same time period in 2020. During the first half of 2021, data breaches have exposed 18.8B records.
Clearly, an effective cybersecurity program is necessary, and should be a core competency of any MSSP you engage. However, cyber risk should not be your only consideration.
Less visible and often absent from any selection criteria, is organizational risk, a basket of considerations which include,
- Can the company implement quality cyber-risk mitigation itself at any price? Is that price less than or equal to the fees paid for a proven MSSP to do the same?
- Does the effective implementation of risk mitigation distract company resources from more mission-critical activities?
- Once implemented, does operational overhead necessary to maintain cyber-risk mitigations attenuate the company’s overall operational capacity?
These and other organizational risk considerations must be evaluated by any leader looking to purchase MSSP services.
In other words, carefully considering organizational risk will help you understand whether you need an MSSP, or whether your 500-employee company can build up a team, buy a set of separate cybersecurity solutions, manage dozens of vendors, set up the right configurations, and manage expectations accordingly with the board and executive team.
With this line of thinking, you may come to the conclusion that the organizational risk of in-house implementation is too high and an MSSP may lower the risk of your cybersecurity initiative failing to launch.
Worse still, you may embark on a journey of vendor selection, purchasing, and integration, but you may find that your budgetary support has evaporated in the meantime, or that you didn’t have the support you anticipated. Sustained budgetary support is a rare and difficult thing to secure. Budgets are constantly fluctuating, especially during project implementation and organizational growth, and this instability often begets half-baked and less-effective security programs. Every security practitioner has lived through at least one such program, or perhaps cleaned one up after a catastrophic event.
An MSSP can mitigate this and other organizational risks by providing a single commitment of easily calculable and elastic cost, delivered by an operationally mature organization you don’t have to directly and carefully manage.
The security program which never reaches effectiveness through complete implementation may include all the technological advancement available yet remain largely ineffective. Organizational risk is real, and an MSSP can help you mitigate its magnitude.
When looking to partner with an MSSP, it’s important to think about the external and organizational risks they address. Here are a few important questions that will help you identify whether an MSSP is right for you.
- Does it fit your company?
It’s important to know that the MSSPs you’re considering are tailored to your industry, your type of company, and your needs. Make sure you’re looking beyond the marketing - many overstate their ability to service your type of organization. If you’re a mid-market enterprise, you don’t want an MSSP that’s best suited for a 10-person design agency or one that serves the average Fortune 100 corporation.
- Does it work with the type of security department you have or need?
The majority of threats and attacks facing all organizations are essentially similar. Statistically common modes of compromise — fraudulent invoices, phishing emails, or network infiltration — don’t change much by organization.
As such, you should be assessing an MSSP on their ability to help your specific organization reduce the risk of these attacks, detect them, respond, and recover appropriately. This means addressing or augmenting your security department’s capabilities, working with your existing technology and environment, while working with your company as you grow.
- Does it address your company’s specific risk?
Consider whether an MSSP’s solutions, vendors, and technology are addressing your specific risk — this is a more technical and tactical consideration than the organizational and cyber risk we discussed earlier.
You don’t want bars on the 30th floor windows when your ground floor doors are completely unlocked. Many MSSP services are marketing the latest buzzwords and sophisticated technology which may not correspond to the risks you face, especially if you don’t have foundational cybersecurity coverage that would prevent an account compromise or business email compromise (BEC) via phishing or a brute force attack.
Cyber-attack is asymmetric and irregular, ensuring limitless opportunities to further reduce risk, even after your foundational coverage is in place. Don’t be discouraged or bankrupted by this reality. Make sure you know what risks, threats, and vulnerabilities need to be addressed and that the MSSP isn’t providing excessive or unnecessary solutions to a threat you’re likely never going to face.
- How modern is the MSSP?
One of the key differentiators between mature MSSPs and traditional MSSPs is their preparedness for modern defense.
For example, some MSSPs (and security departments) still adopt a city-wall mentality. They take rigid inventories of devices in an environment, collect logs of dubious value, and focus on centralized infrastructure concerns such as firewalls, network segmentation, and virtual hosts. This can lead to a few complications:
- There’s an activation threshold - meaning you’re not protected until a certain amount of your endpoint fleet or network is covered. That activation threshold also involves configuring and fully analyzing the logs from fairly critical sources, like production firewalls.
- Your protection costs more, since you are gathering logs which are unlikely to be high fidelity indicators of compromise. This is no problem for a large organization with an obligation to retain all logs, even those of dubious import, but it’s a big task for the average enterprise that just wants better cyber defense.
- It’s not modern! Few companies are still focused on building large, centralized, on-premise infrastructure, and the infrastructure they have which fits that description is of dwindling practical importance in the distributed, service-oriented modern world.
You simply don’t want to partner with an MSSP stuck in 2005. They might be competent, but their efforts won’t reduce your risk profile, and may end up spending your resources with little gain.
A more progressive and modern approach focuses on the endpoint, that last bastion of enterprise control, and accommodates threat analysis without requiring extensive and impractical knowledge of traffic routing or office locations. Your employees can work from anywhere and your servers and services can be managed by anyone in any cloud - the modern MSSP focuses on high value telemetry and quality analysis, not city walls and strict plans.
- Will it scale with your organization?
Your MSSP should be able to scale as your organization grows in a variety of ways. This includes:
- Increasing cybersecurity coverage
As you add more devices and endpoints, your MSSP should be able to provide incremental coverage and value without risking your overall security posture. The same should be true as you add more products, vendors, and employees, as your attack surface increases and your capabilities to detect and respond to threats shift. Again, this requires a different framework than one solely focused on prevention.
- Minimize budgetary risk
How your MSSP bills, and their pricing structure, can expose you to organizational risk. If you need to re-negotiate or once again turn to your executive or board of directors for another budget approval simply because you added a few endpoints or added several employees, it creates a risk that the budget may not be approved, leaving you exposed.
A mature MSSP should provide simple pricing and a clear billing structure.
- Provide predictability in funding and capacity
The ability to package budgetary risk into a clear and predictable cost to the company will help measure the effectiveness of the MSSP and is a crucial benefit a CISO should look for.
An MSSP that’s priced once with linear growth as your company scales makes forecasting costs and effectiveness much easier. Again, when considering organizational and project risk, streamlining this decision-making is an oft-forgotten benefit. Security happens only when it gets resourced.
Choosing an MSSP requires conceptualization
Finding the right MSSP isn’t like finding a security solution. By design, an MSSP will be working very closely with your organization and your environment. By taking the above questions and considering how the MSSP will impact your external, cyber, and organizational risk, you’re conceptualizing how the MSSP will exist in your environment.
These considerations will help you understand an MSSP’s implementation beyond the technical aspects, which is why we covered budgetary and project-based risks. If you can’t see them fitting in your organization, that’s very telling that it may not be the right one for you.
An MSSP is a partner
As you assess various MSSPs, look for complements rather than compromises. A great MSSP may have long implementation timelines or a threshold to hit before realizing value. They may be best for a company with a traditional office footprint, or they may assume you have a cybersecurity solution you don’t, adding more complications. This doesn’t mean they’re bad — they’re just not the right fit.
Instead, look for simplicity in their pricing and implementation, flexibility, communication and accessibility. An MSSP is a partner, so they need to be compatible. This isn’t a quick or an easy decision. It takes time and a lot of due diligence but making the right decision will pay off for years to come.