Maksim Kabakou - Fotolia

Security Think Tank: Supplement security with an MSSP to raise the bar

What is the most practical and cost-effective way for organisations to identify and remediate high-risk software vulnerabilities?

Small and medium-sized enterprises (SMEs) play a pivotal role in helping drive the economies around the world, but often face an uphill battle when it comes to cyber security. Limited resources in an organisation can leave gaping holes in security, leaving those businesses at higher risk of cyber attacks and data breaches.

When firewalls first emerged to protect networks in the early 1990s, the idea of outsourcing cyber security to a managed security service provider (MSSP) would have been far-fetched. But defending networks from sophisticated cyber attackers today is not optional. To protect a business appropriately, there is a long list of appliances and applications organisations need, including, but not limited to: distributed denial of service (DDoS) protection, intrusion detection/prevention systems, web application firewalls, data encryption, data loss prevention, security information and event management (SIEM) systems, deep packet inspection and network analysers.

With so many requirements, it can be easy for companies to become overwhelmed by their growing cyber security budget. For many of these organisations, outsourcing security can be key to keeping the business running and keeping sensitive data protected.

Here are some of the primary benefits to having a managed provider take care of your cyber security needs:

1. Cost savings

Because these providers incorporate costs for analysts, security appliances/applications and facilities are distributed across all their customers, the fees are usually reasonable. The cost to employ a satisfactory number of IT professionals, as well as make the appropriate hardware and software upgrades, could be too much of a financial burden for many organisations. With all the expertise and equipment included in the cost of an MSSP, it’s no surprise that cost savings are an attractive benefit of outsourcing.

2. Security expertise

It’s difficult enough to find IT security professionals for an in-house team, let alone pay for them. With an MSSP, organisations have a dedicated team of security specialists at their disposal to ensure the network is protected and monitored. These professionals can also keep up with the latest security trends since their roles are specific. In-house teams are often overwhelmed with other responsibilities, so they are not able to be as proactive when it comes to staying up to date.

3. Total support

Predicting the timing of a cyber attack is almost impossible. Luckily, MSSPs typically provide real-time cyber security reporting 24 hours a day, seven days a week, 365 days a year. By establishing a service level agreement (SLA) for their exact needs, organisations can have peace of mind regarding network protection. Before signing on the dotted line, it is essential to check the terms of the contract to ensure business needs are properly represented. A well-defined SLA benefits both parties to ensure a successful engagement.

Security outsourcing check points

While the advantages of outsourcing are plentiful, there are still a number of things to consider before signing on the dotted line with an MSSP.

It’s important to understand that MSSPs do not eliminate security costs. Organisations still need an in-house chief information security officer (CISO) for the MSSP to report to and coordinate with. While MSSPs offer security expertise, they are meant to supplement an in-house own security team, not replace it.

An SLA is crucial when it comes to outsourced providers. Many MSSPs will provide a generic, standard contract with pre-set terms to quickly expedite the closure of the contract and allow services to begin – to manage the risks with security control operations. This can be helpful, as many outsourcing providers have expertise in this field.

However, where an MSSP relationship is concerned, a one-size-fits-all approach is not the best. Instead, discuss the needs of the organisation and develop remediation steps ahead of time, before things stop working, so both parties know who is responsible for what and the prescribed course of action. Developing those roles and responsibilities up front will limit chaos if an issue arises.

“While MSSPs offer security expertise, they are meant to supplement an in-house own security team, not replace it”
Greg Temm, FS-ISAC

The biggest concern that keeps companies from outsourcing their security is the risk of exposing sensitive data. For many businesses, allowing outsiders to handle this type of information is simply not an option. This is why a detailed SLA is essential to an MSSP relationship to maintain confidentiality and ensure the organisation is legally protected in the event of a data breach.

To mitigate these risks, it’s important to research all potential MSSPs before choosing one to outsource with. There are plenty of providers and each will have a slightly different approach. Organisations should take the time to ensure a provider will meet their needs and that they can trust it with sensitive data.

As with any relationship, communication between an organisation and a service provider is crucial to ensuring both parties are getting what they need. Choosing an MSSP is not simply about signing a contract and then writing a cheque.

Having regular relationship meetings with the provider that focus on the review of transferred risks, controls developed to mitigate risks and key metrics to determine acceptable management of transferred risks keeps everyone on the same page.

When things go wrong it’s important to talk frankly about the issues, expectations and what both parties can do to work together to make it better. Go back to the contract and make sure that both parties understand what is written. Too often, a wall will be built between both sides and the relationship will quickly deteriorate. When this happens, things usually get worse – not better.

For things to go well with an MSSP, it’s all about the relationship. Organisations that do their part to keep the relationship strong through clear communication, reasonable terms and documented expectations are more likely to have a positive experience.

To learn more about recommended cyber security controls for the financial services sector, outsourcing best practices and other important cyber issues, register for FS-ISAC’s EMEA Summit in the Netherlands, on 1-3 October 2018.

Read more on Application security and coding requirements

Data Center
Data Management