To MSSP or Not?
By Rizwan Jan, Vice President, Chief Information Officer, The Henry M. Jackson Foundation for the Advancement of Military Medicine
There are two types of companies: Those who have been breached and those that will be breached. Given that reality, your organization needs to partner with a reputable Managed Security Services Provider or MSSP. Leveraging a MSSP can help you rapidly mature your security capabilities in the face of increasingly sophisticated threat actors and limited resources. MSSPs are especially useful because they enable you to outsource one or all of your cyber security components (e.g. network security, access control, risk assessments, vulnerability/pen testing, incident response retainer, compliance, etc.) in an era where recruiting security professionals itself presents a challenge and where cybersecurity solutions must be customized to address the needs of your organization.
An experienced MSSP can identify, mitigate, remediate, and eradicate any threat actor in your environment and advise you on how best to avoid reputational and financial harm. Additional benefits include cost savings (the average salary of a security professional can well exceed 100,000 dollars in today’s market), the ability to efficiently and quickly augment in-house security staff with external skilled professionals, access to the latest technology hardware and security solutions, broader knowledge of security risks, and proactive round-the-clock alert monitoring.
Equally important, utilizing an effective MSSP can raise executive level awareness on the importance of security and prioritizing it as a core business function. I recently had my organization’s MSSP do a table-top exercise with our C-suite where we simulated cyber-attack scenarios. The exercise was an eye-opening experience for many of the executives who previously considered security an afterthought. However, when shown the ramifications even one attack could have on our operations, my colleagues quickly realized that all of our other business priorities depend first and foremost on security. An insecure environment risks all other business priorities, including brand protection and client retention.
However, utilizing an MSSP is not without risk. The most obvious risk of using MSSPs is that reliance on an external party necessarily increases your exposure to external threats as your data is not contained in-house. Additional risks include possible cross-contamination of data, the disconnect from in-house monitoring, and the fact that your organization’s exposure to a third party makes it a more desirable target for threat actors.
However, these risks are mitigated if you vet your MSSP properly. Some considerations you should undertake when selecting a MSSP are the following: the MSSP’s industry reputation (e.g. look to your Information Sharing Analysis Center for referrals), scalability, geographic proximity to your organization, and response time (e.g. boots on the ground).
Despite the highlighted risks, I remain a firm believer in the use of MSSPs particularly in instances where internal resources are insufficient. In a landscape of ever-evolving and increasingly sophisticated threat actors, it is vital to elevate your response to include more than what your in-house professionals are doing. I liken the use of an MSSP to the advice my stock-broker routinely gives me: Diversify. The more diversity in your security tools, the better your odds of defending against your adversary. After all, a threat actor only has to be right once to do your organization serious damage; Your team of security professionals, on the other hand, must be right 100 percent of the time. All the time.