Incorporating an MSSP into your Information Security Program: a Tactical and a Strategic POV Part 2
In part one of this blog we discussed the tactical advantages that allow an MSSP strengthened cybersecurity program to outperform an in-house program – those factors which directly improved your information security posture. There are softer, more strategic advantages to offloading some of the responsibilities to a company whose job it is to specialize in detection and response. As anyone knows who has tried to hire top flight information security people, they do not come cheaply and the market is very competitive due to restricted supply vs demand. It is often difficult to keep a talented security hire and insure organizational knowledge and continuity because they can always go somewhere else where the pay is higher and the prestige and challenges are greater.
The MSSPs who curate the security of several 100 companies can afford to pay top dollar and they have the tools and problem sets to properly challenge their staff due to their economies of scale. Not only that, hiring 3 shifts to have a 24/7 SOC triples the cost and is seldom practical due to the fact that the incident rate is low. On the other hand, this is easy for a MSSP to maintain due to the size and frequency of incidents - the detection and response part of your cybersecurity effort can be on top of your things at all times as it truly needs to be. Not only does the MSSP have these things working in its favor, but It has additional stability due to the size of its team. This gives you strategic advantages so you don’t have to worry about the staffing and managerial headaches fielding a proper team entails.
Then, there’s the cost to play. In general, a detection and response team has a minimum size and, because of the aforementioned salaries, maintaining even a small team is expensive and often a waste of resources. With an MSSP, the price for resources is elastic. If you have a cloud implementation that is likely to scale up by a factor of 10 in the next quarter, you only allocate security resources when the machines are making you money. If the project is not as successful as you thought you can always dial your security spend back without needing to let anyone on your team go. The inelasticity of the internal hiring process is costly – not only financially, but costly in terms of its impact, product lead time, organizational memory, and business agility.
Now, there is a broad range of companies that regard themselves as MSSPs. Some are simply signature-based anti-virus vendors. While a good MSSP will have an anti-virus as part of its offerings (or at least integrate well with one), their services are a great deal broader than that. To be a really comprehensive product it must operate at the application layer and it must monitor network traffic for suspicious behavior. Most of your revenue producing (or loss susceptible) computing needs to be protected at that application layer. Vendors exist that have products which operate in the Cloud, on Premises, or in Hybrid Cloud/Datacenter environments so a solution can be found that will fit your needs.
In spite of its advantages, an Information Security program is more than just an MSSP. The MSSP will provide you with information about what was compromised and where they are in your system, but you will still need people on the ground to deal with the intelligence they provide. You need a team to lock the infected system down, kick out the intruder and patch the vulnerability/change the passwords that allowed them in in the first place. But this is an easier task when an agile, thorough, specialist has told you what the problem is and roughly how to fix it. You still need to create a Target/Asset Map and use similar tools, but this represents a shifting of focus of your team. This allows them to focus on their areas of strength, especially maintaining a secure code base which will be to your benefit in the long run. You have not got rid of your information security responsibilities, it is only that through specializing in the areas of your own competitive strengths, your job, both tactically, and strategically, has become easier, more effective, and more profitable.