Conversations in Risk-Based Security

What is the Business Case for MSSP?

Posted by Rajni Goel on Sep 4, 2018 10:59:24 AM

Much has been written about the benefits of an MSSP, especially if you are a big organization.  It allows for a consistent, centralized, and transparent view into your organization’s security platform.  But, how do you decide if an “in-house” security management program is effective enough? What is the cost-benefit analysis when deciding to budget expenses for in-house versus out-sourcing?

The National Institute of Standards and Technology (NIST) advises that similar to financial and reputational risk, poorly managed cybersecurity risk may negatively affect performance and place an organization at risk by reducing its ability to innovate.  Decision makers and executives are quickly realizing losses due to their inability to keep up and be fully knowledgeable about properly managing cybersecurity risk status and issues and comply with guidelines of the established frameworks (such as following some of the key elements of the NIST Cyber Security Framework). 

Organizations (big and small) desperately need a quick reference guide for deciding how to manage and implement their security program.  An MSSP “Scorecard” helps an organization decide what is the Competitive Advantage for them in choosing to outsource to a MSSP and then also potentially calculate the ROI on their investment.

In this article, we will discuss a 5 Step Process to assist in making a business case for or against MSSP!

STEP 1: Do your own internal self assessment – and answer these questions:

What is the threat to me in my Cyber Domain?

What assets do I need to Protect?

What is the cost of losing an asset?

According to Security Firm Kaspersky, in 2017, cyber attacks cost U.S. enterprises $1.3 million and small and medium-sized businesses $117,000.[1] Sector by sector, businesses are faced with a unique, prioritized set of cyber threats.[2]   Finding a latent threat on the network, or Cyber Threat Hunting, is far harder than setting up adequate defenses in the first place to make sure your organization isn’t the “low-hanging fruit”.

Your organization cannot afford to have positions unfilled in cybersecurity. An attacker can be on the network for 5 or more months undetected, all while you’re trying to staff your security division.  Many companies are leaving their cyber positions unfilled while advanced technical candidates are enjoying zero unemployment.[3] Per FireEye’s M-trends 2018 report[4], an attacker is present on internal networks for an average of 3 months.

But keeping up with security threats is daunting to an in-house security team and requires spending:

  1. Specialized technical expertise
  2. Specialized toolsets for detection and protection, such as firewalls, intrusion detection, scanning software, mitigation tools including maintaining 24-7 monitoring and altering system.

STEP 2 – Consider Pros and Cons of an MSSP

  1. Why choose an MSSP?

In the time it takes you to assemble the right in-house security team, you may have already been breached.

One option is outsourcing security services. To mitigate threats, preserve consumer trust and privacy, and be in compliance with regulations, more and more organizations are turning to managed security services providers (MSSP) to protect their networks and data.

MSSP-assisted secure operations can provide you with a competitive advantage by giving you:
Experience

  • Choosing a security service provider allows you to defer your cyber risk management to a resourceful, fully functional third party with abundant labor, exceptional expertise, and necessary toolsets!
  • An MSSP has the experience of working with other companies in your sector, transferring that knowledge into your tailored solution takes the guesswork out of architecting an appropriate solution.
  • Expertise to properly managed risk and compliance

Availability

  • For the right price, MSSPs potentially provide flexible 24/7 monitoring and a range of tailored services to satisfy organizational needs from remote device management, to SOC services, to penetration testing.
  • An MSSP eases the burden of recruiting and retaining the right cyber security staff. It’s hard to recruit qualified candidates when there is 0% unemployment in Cyber Security!

Cost savings

  • Think of it as an investment towards a unique selling point, not a mandatory cost!
  • Calculate the cost breakdown for each employee in a security team vs the MSSP
  • Marketing your company’s strong, experienced security and protections is a competitive strategy! Customer trust (in your security) brings in revenue!
  • Remember, your insurance company may not cover your cyber breach data and IS losses if YOU were not compliant with set security standards and regulations, of which an MSSP would absolutely be aware to implement.
  1. Why not choose an MSSP?

Unfortunately, the decision isn’t entirely straightforward- there are potential risks associated with outsourcing. A few big questions to ask are:

  • Do you want to retain control over sensitive data/intellectual property?
  • What tasks will they handle? What won’t they handle?
  • Is it a single point-of-failure? What will happen in the event of the MSSP going under? Will your data be securely disposed?
  • How fast am I growing? Will it pay off in the long run to really start an in-house security team, if it’s in your future anyway.

STEP 4: What can I do? How do I decide?

First, remember there is No “one-size-fits-all” MSSP out there!  You must calculate your ROI for using an MSSP!

To simplify this decision, take thorough inventory of your assets and determine an appropriate security architecture. Make sure to consider mandatory expenses like regulatory compliance and budget out the annual cost of staffing the positions you have created. Also, budget cost of downtime, customer loss and other expenses due to attack (compare probabilities of successful attack vector if in-house security managing vs MSSP).  

Employee Role Annual Cost
#1 SOC analyst $65,000
#2 Data Safety ….
….    
Expense of Hardware/Software/Maintenance ----  
Downtime/Customer loss/ect. -----  
Total Cost: $XYZ,000

Then, shop around for quotes from various MSSP providers. Account for differences in their services provided and what you would be able to do in-house.

MSSP Services Suggested Requirements Met Extra Notes
Any MSSP Penetration Testing, Compliance, Physical hardware deployment, SOC services -HIPPA compliance -24/7 monitoring -Headquarters within 15 miles -Annual Price $XYZ,000

 The final decision should account thoroughly for the weighted risks mitigated by each option. The NIST Cyber Security Framework is a good starting point, and there may be industry-specific (i.e. by risk) guidance for architecting a security program.

STEP 5 Which MSSP to choose?

  1. Consider the following:
    1. How are your assessing if the security team of the MSSP is experienced enough and do they have all the tools to meet your needs?
    2. Is the MSSP you are selecting remaining current with new threats and cyber-attacks – potentially guaranteeing a level of accuracy in informing real-time actionable alerts which will assist YOU in making business decisions (Remember, company leaders make the response decisions!)
    3. Do they provide a tailored solution specific to my needs?
    4. Reputation?

[1] https://usa.kaspersky.com/about/press-releases/2017_kaspersky-lab-survey-cost-of-cyberattacks-for-large-businesses-in-north-america

[2] https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-analyzing-breaches-by-industry.pdf

[3]https://www.csoonline.com/article/3120998/techology-business/zero-percent-cybersecurity-unemployment-1-million-jobs-unfilled.html

[4] https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf

Topics: MSSP, cybersecurity