Managed Security Service Providers offer a valuable service, but they are no Replacement for a Chief Information Security Officer (CISO)
Managed security services have been around for decades. In the 90s, this was most closely aligned with network infrastructure companies (think internet service providers or firewall manufacturers) who would offer services to manage the devices for companies. This had benefits for companies - if a company didn't have a network engineer for their small company, they could purchase the equipment AND the service from the vendor. Managed Service Providers (MSPs) emerged to provide more comprehensive outsourced technology management for small and medium-sized businesses. Now, with the increasing sophistication required to manage the security component of technology management, Managed Security Service Providers (MSSP) cover security-specific services such as protecting the perimeter security of your network, endpoints, key parts of application security, training and awareness, public cloud security, etc. With many MSPs offering virtual Chief Information Officer (CIO) services and MSSPs offering virtual Chief Information Security Officer (CISO) services, one might wonder if companies should rely on their MSSP for their security leadership.
There are real benefits to MSSPs, especially for small and medium-sized companies. There are also some natural limitations that company leaders, including Chief Information Officers, Chief Technology Officers, Chief Financial Officers, etc., should consider when it comes to key areas such as security technology neutrality and strategy development. To use a school analogy, behind the textbooks our kids bring home, there is a team that selects which textbooks to use.
There are some benefits to using MSSPs, especially for smaller companies:
- Filling a need until you can build internal expertise - using an MSSP to manage your endpoint protection or to be your first-level incident response can be a big boost while a company builds its own talent. That managed service can even accelerate the learning for an internal team.
- Some services can augment a team that is simply not large enough - Even small companies have the internal expectation of 24*7 monitoring for potential security incidents. It's not hard to do the math that a company would need to do quite a bit of hiring to build an incident response team that would be available 24/7/365.
- An MSSP can add valuable threat intelligence - For companies with low-security maturity and capabilities, it can be challenging to keep up with all the new vulnerabilities and threats across their products. An MSSP can learn across their customers about new threats and respond accordingly.
Like the textbook and school analogy, there are things that you can't get from an MSSP, even if they are offering it on paper. This is why many companies have a full-time or fractional Chief Information Security Officer who isn’t tied to a specific MSSP. Here are four reasons why a CISO complements an MSSP:
- Accountability – Company leadership remains accountable for the outcomes of the MSSP, whether good or bad. Your board, regulators, auditors, and customers will look to the company's leadership team even if the MSSP made a mistake or failed to act.
- Creating and implementing the security strategy - While the MSSP may be experts in their set of tools and services, they won’t take a holistic view of answering this question - what should my company be doing to reasonably address our information security risk given our business goals and risk tolerance? This requires close relationships with internal security vendors to ensure the security team is delivering the security aspects of the company's most important goals and that the rest of the company is doing its part to deliver strong security basics.
- Communicating the security risks and progress of the company - Related to the previous item, a CISO is also the best resource to communicate security risks and progress to multiple audiences at all levels of the organization, including the Board. While an MSSP can only speak about its scope of services, a CISO has broad accountability, visibility, and relationships to discuss the full program.
- Tool Neutrality - Naturally, a company’s security needs may change for many reasons, and to better protect the company from a breach, an MSSP’s goal is to increase its business, not necessarily to help meet its interests.
In summary, think of the CISO as the principal of the school, while the MSSPs are valuable resources that the school uses. The CISO is accountable for driving the right security outcomes based on the company goals and risk tolerance. The CISO is accountable for choosing and implementing the tools (including MSSPs) and processes within the company that best meet the company's needs at the best possible price point. The CISO is accountable and responsible for setting the security strategy, implementing it, measuring the progress, and ensuring that it aligns with the vision for the company.
Authors: - Bill Alfveby, Ed Ferrara, and Burke Autrey