The case for Managed Security Service Providers (MSSP)

Praveen Singh, Head of IT Risk and Cyber Security, ICBC Standard Bank

Praveen Singh, Head of IT Risk and Cyber Security, ICBC Standard Bank

The current headlines about cyber-attacks as part of the hybrid warfare between Russia and Ukraine, and the recent major “virtual world” attacks leading to impact on the “real world” such as the Colonial Pipeline ransomware attack, has raised the importance of Cyber Security in our day to day lives in addition to being a critical area of focus for most enterprises.

How much should an Enterprise spend on Cyber Security

While there are various surveys which provide differing views on how much should an organisation spend vs how much they actually spend on Cyber Security services, there is no right answer and it varies from organisation to organisation.

My own experience of Enterprises’ allocation of Cyber Security budget as a percentage of IT budgetsaligns to a survey by a global Market Intelligence firm, IDC, which spells out the following results:

Enterprise attitude to Security

What this means in practice

Percent allocated to Security from TotalIT (Run and Change) budget

Defeatist

Cyber Security is weak and underfunded

6

Denialist

Cyber Security is weak but Senior Leadership don’t understand or acknowledge this fact

8

Egotist

Cyber security is perceived as good but they risk overconfidence

12

Realists

Cyber Security is perceived as satisfactory but the Senior Leadership understands its importance and are looking to improve

14

A more recent 2020 survey from a leading European Cyber Security firm, estimated the Cyber Security spend, as a percentage of total IT budget, for Small and Medium Business increased from 23 percent (in 2019) to 26 percent (in 2020); and in the case of Enterprises from and 26 percent (2019) to 29 percent (2020). 47.3% of the projected increase in allocated funds was to add more staff and re-train existing staff.

While Enterprises are forced to invest in the improving their Cyber Security posture, the reality is most don’t have adequate investment, capacity or capability to defend themselves against external sophisticated targeted attacks by nation states, intelligence agencies, or from malicious insiders. Protection against such attacks requires significant investment to build in-house capabilities which is not always feasible. Also, many organisations have a false sense of security, and will not invest in security until they actually suffer a major cyber incident, which in some cases, may be too late. 

The case for MSSPs

Leveraging Managed Security Service Providers, orMSSPs,provides a great way of getting access to enhanced cyber security protection capability and capacity at an affordable price point.

One small-size Investment Bank that I worked with during my Management Consulting days, had just five Cyber Security focused internal staff (approx. 1/5th compared to its peers) which provided end to end security across the Bankwhile leveraging services from multiple MSSPs. While this level of staffing was clearly inadequate for an organisation of its size and complexity, the Bank succeededin managing its “head count” challenge whilst having an “effective” securitythrough smarter leverage of MSSPs and cloud services to maximise the security for an investment of approx.15 percent of the total IT spend.

This organisation spent close to 30 percent of its total IT Security budget on services from MSSP and less than 20 percent on staff costs.

See below for a representative view of the IT security spend and split based on my own benchmark from previous experiences.

How MSSPs can add value

MSSPs are known to provide a mix of security monitoring services; advisory and consulting services; assurance services such as audits and compliance assessment; and product resale.

Following are examples of common services available through MSSPs:

• Security Information and Event Management (SIEM) alert monitoring and response

• Firewall rules management and monitoring

• Intrusion Prevention Detection and Response

• Red Team and Penetration testing

• Vulnerability Management

• Incident Response Retainer

• Actionable Threat Intelligence and brand monitoring

The following table provides my views on the advantages or using MSSPs along with the Critical Success Factors to make this work effectively.

Advantages of using MSSPs

Critical Success Factors

  1. Easy access to advanced technical capability at a low price point.
  2. Fresher perspective to security which may not be available within the organisation.
  3. Flexible support with the capability to ramp up during incidents.
  4. 24*7*365 monitoring.
  1. Strong oversight and governance of the MSSP services with adequate support from MSSP. Accountability cannot be outsourced.
  2. Design of the services consider BAU monitoring as well as incident scenarios.
  3. Pre-defined agreement on the response runbooks for speed of protection in case of an incident.
  4. MSSPs ability to innovate at pace as required for the Cyber Security industry
  5. Agreed and tested approach to an exit in case of a MSSP breach or critical service failure.

Choosing the right MSSP

Organisational needs are typically different and so are the criteria for selection. A MSSP may rarely offers complete customisation of the services on offer as they are shared among multiple customers. Evaluating a Managed Security Service Provider can be difficult because not every service offered by an MSSP provides value to a company. Selectingthe right MSSP for an environment requires identifying key areas for evaluation to determine which is most important for anEnterprise.

Cost should not be the only factor when considering security services. Depending on the nature of anEnterprise, certain MSSPs also offer services to assist Enterprises in regulated industries.

Top considerations while choosing a MSSP should be:

• Round the clock services

• Real Time Response and proactive services; check SLAs that the MSSP is ready to commit

• High Availability

• Integration with other security and Infrastructure tools and processes within your organisation

• Budget

Recent trends

The services provided by MSSPs is reaching a saturation point with multiple previously low-cost offshore service providers entering this field and pushing the profitability margins for traditional players.

To use advanced threat detection capabilities, a growing number of organisations are now choosing to work with Managed Detection and Response (MDR) providers instead of MSSPs.

Unlike MSSPs, MDR services are specialists, commonly turnkey, with threat intelligence and detection technologies as part of one comprehensive service offering.

Whether MDR from being the latest “buzz word” to being a complete replacement of MSSPs is to be seen. We can already see a number of MSSPs re-packing and re-introducing their services as MDR.

Conclusion

Firms will need to spend more on Cyber Security as the level of threat is increasing. For smaller organisations using MSSP can be a more cost-effective approach to increasing their cyber security posture.Firms, however, need to select their MSSPs wisely.

Finally, firms have to be realistic that they will continue to remain vulnerable to sophisticated threat actors such as nation states.

Read Also

Future Of Cyber Security: Responding To Threats With Confidence

Future Of Cyber Security: Responding To Threats With Confidence

Bernard Gavgani, Group CIO, BNP Paribas
Meeting the Cybersecurity Challenge

Meeting the Cybersecurity Challenge

Scott Self, CIo, Tennessee Valley Authority
Navigating the Storm of CVEs

Navigating the Storm of CVEs

Yonesy Núñez, Chief Information Security Officer, Jack Henry & Associates
Building a Comprehensive Industrial Cyber Security Program

Building a Comprehensive Industrial Cyber Security Program

Mohamad Mahjoub, CISO, Veolia Middle East
Building Untrusted Networks to Improve Security

Building Untrusted Networks to Improve Security

Earl Duby, Vice President and CISO, Lear
Building Cyber Resilience during Covid-19

Building Cyber Resilience during Covid-19

Aleksandar Radosavljevic, Global Chief Information Security Officer, STADA