W
Why an MSSP? to help clients to adopt and maintain
secure processes.
DAVID
DAVID HOOD,
HOOD, CEO,
CEO, ANSECURITY
ANSECURITY This is a significant benefit, especially
for smaller organisations that have failed
to provide structured and ongoing IT
security training. On this last point, it is
worth considering that when working
with an MSSP, it is always wise not to
completely abdicate all InfoSec skills
and responsibility. Being able to ask the
right questions of an MSSP and gauge
the responses will help to create a more
beneficial long-term relationship based
on mutual trust.
Demand for managed security service
providers (MSSP) is at an all-time high
to respond to a rise in cyberattacks and
the arrival of security adjacent issues
such as GDPR. The need is fuelled by
an underlying skills shortage of InfoSec
professionals and a growing board level
recognition of the crippling impact of a
cyberattack or accidental data leak. For
many, shoring up defences and building
a security conscious corporate culture
may mean turning to an MSSP for help.
However, selecting an MSSP is not a
case of apples vs apples. The ongoing
cloudification of security service delivery
means that new MSSPs are springing up
that are, in effect, resellers of somebody
else’s security service. In some cases,
these services are not actually that
bad and can provide a decent level of
automated vulnerability assessment,
proactive threat monitoring and patching
– providing that the IT environment is
relatively off the shelf.
Unfortunately, a lot of these instant
MSSPs have little security expertise
and many are inadequately staffed to
manage more complex environments.
Worse, few can jump in to the breach,
literally, when things go wrong.
What often works best is a mix and
match approach where an MSSP aids
an IT department to fulfil the mundane
InfoSec tasks or for specialist skill
sets that are too expensive to keep
in-house permanently. For example,
running quarterly threat assessments or
incident response provide a high value
activity across a short duration and
contracting these tasks out makes a lot
of financial sense.
An MSSP can also act as an
independent arbiter, especially for
organisations where IT departments
‘don’t know what they don’t know’ when
it comes to cybersecurity. A good MSSP
will follow industry best practice which
can act as a kind of knowledge transfer
www.intelligentciso.com
|
Issue 06
FEATURE
Looking at the current growth of the
MSSP market and skills shortage, it
seems likely that almost all mid-market
firms will engage with one at some point.
The best final advice I can offer is, like
any contractual business agreement,
customers must do due diligence on the
provider and scrutinise the contract to
understand the level of assistance the
MSSP will provide if there is a breach.
This is crucial as no matter how much
security you have in place, there is
always a risk of an incident and this
is something you must factor in when
working out the overall value.
Best practice for CISOs
assessing which provider to use
STEPHAN
STEPHAN BERNER,
BERNER, CEO,
CEO, HELP
HELP AG
MIDDLE
EAST EAST
AG MIDDLE
There are several criteria CISOs will
need to use when evaluating MSSPs and
among these, key aspects include:
49