MSSP's and the value add...

Intro

My first blog in a while and really, I wish to break down the fundamentals of "why" in considering a move to an (or perhaps switching) MSSP and what they should really be doing for you.

Earlier this year, MSSP Alert outlined "Top Five Trends for MSSPs in 2023" with the number one area being that cyberthreats of all kinds will continue to grow in number, severity, and complexity. Steve Morgan at Cybercrime Magazine has since double-down on this via the "2023 Ransomware Market Report" (sponsored by KnowBe4 ), stating that Ransomware is the fastest growing type of cybercrime and is expected to attack a business, consumer, or device every 2 seconds by 2031.

Ransomware is never out of the news and has become not just a security problem or a CISO problem, but a problem at board-level due to its destructive nature and loss of productivity to the org, as well as affiliated supply chain and trust with customers.

With these numbers, it's not surprising that businesses require expertise when their day-to-day is media publishing or making sandwiches. Many don't want to and nor should they be focusing on creating brand new teams of security experts and training them up, when their focus is on business productivity and appeasing their end customer.

This is where MSSP's or Managed Security Services Providers come into play. As per their namesake, MSSP's are there to provide a service, ensuring the leg work is taken from the customer in ensuring their employees, IT estate and customers are protected from cyber threats.

MSSP's have a multitude of offerings that will look at the end-to-end cyber journey (before, during and after an attack), supporting customers through a number of Managed (usually MDR) and Professional (Advisory, Incident Response, Penetration Testing) Services.

Relationships work in a number of ways where the service can be fully outsourced to the MSSP, augmented or plan to offboard in future whilst the customer builds up their security resource in-house.

Augmentation is becoming more and more common for Enterprises whereby a typical 10,000 seat organisation may already have a security team in-place, but wish for them to focus on the more "interesting work", usually classed as Tier 3 and threat hunting type work, with the MSSP providing them with less tickets (drowning out noise and false positives) to work on.

Otherwise and regardless of SMB or Enterprise level organisations, there may simply be no appetite to build an in-house team and a few individuals will work with the MSSP on remediating tickets together and clarifying whether an employee should really be logging in from a time zone half way across the world and therefore, blocked from performing certain actions.

At the end of the day, an MSSP should really be that partner to the organisation, providing them with valuable insights as to number of attacks, type of attacks and what the org should be aware of from a threat intel perspective whilst proactively monitoring them on a day-to-day basis. Being a value-add to the org is fundamental, with continuous education also key.

I have summarised some of these points, clearly labelled as Time, Cost & Resource, below;

Time

Time is crucial for a CISO, CIO or CTO and in-particular, the teams they run and how they manage it effectively. Some time constraints for these individuals and teams can be;

• Vendor agreement. Managing multiple solutions means multiple meetings and an increase in paperwork. It's never an easy task and more and more companies are looking to consolidate as point product solutions become more costly with an increased risk of integrating them all. Earlier this year, 微软 outlined the growth of its breadth and depth of security solutions and the cost savings for organisations: https://www.microsoft.com/en-us/security/blog/2023/01/25/microsoft-security-reaches-another-milestone-comprehensive-customer-centric-solutions-drive-results/.
• Projects. At any one time, there are multiple projects being juggled by IT teams, meaning a multitude of deadlines and keeping them away from their day jobs. Managing multiple projects can also mean a lack of focus and perhaps missing the objective set out altogether. Inc published an article on what managing multiple projects does to the human brain, along with how we can become better at managing these.

Cost

• Team. Hiring a team is a costly effort and at board level, will be looked at as exactly that. Increasing that team will require justification and should the business as a whole not be reaching its targets, it can mean that your team receives the redundancy notice first hand. Its not just hiring the team, its also training them and keeping them up to date with the latest technology and trends, keeping them as highly educated and ready for the next "AI-generated cyber battle". Attrition is another issue, investing in an individual is a costly effort and should they one day get up and leave to a competitor, all of that investment is somewhat lost with your competitor benefitting at the same time, along with your company IP.
• Technology. I touched on it already in the Time section, however, managing multiple solutions at any one time is a costly way to go about your security tooling, as well as ensuring that your team are savvy enough to integrate them, whilst staying knowledgeable on the latest updates of said version. Should this be configured incorrectly then naturally, it can do more harm than good. Having your MSSP oversee your tech stack means they can spot vulnerabilities, anomalies and providing advice on what measures may be taken via on-going advisory, pentesting and red teaming engagements.
• The market is flooded with acronyms (and I do apologise), however XDR has taken off in a big way and to my last point, for good reason. eXtended Detection Response here Quorum Cyber provides not only detection and response efforts (during/post event), but on-going protection and increasing an organisations cyber maturity, before that bad event can occur. Read on: https://www.quorumcyber.com/services/managed-xdr/

Resource

• Labour, Recruitment, Training and Attrition are all factors weighing into the Resource discussion. Hiring in general can take months, if not years in some cases to find the right talent, especially if you're an unknown quantity to the industry and still building your brand. Talent pools, hiring processes, holidays, candidate drop outs, restructures, lack of funding or hybrid work, job security, economic constraints and so forth can all add-up to the difficulties it takes to build and hold onto, a world class cyber security team. Again, when your business isn't predominantly security, the question is whether its better to outsource to a specialist who all they do, day in day out is security? LinkedIn's Global Talent Trends from May 2023 provide the latest insights as to hiring and attrition in todays market and what it may mean for CISO's looking to hire in future.

Outro

Here Quorum Cyber #WeFightBullies ensuring the good guys win.

As a 微软 Security Partner based in the UK, we work with customers 24x7x365 across the world, of all sizes and industries, ensuring their investment in Microsoft Security is configured, tuned and optimised correctly.

Organisations are then able to realise the full value of their investments, whilst we continue to support in providing guidance and expert advice across the rest of their IT estate, decreasing risk whilst ensuring operational resilience and cyber outcomes are met.

Please reach out should you have an enquiry as to Managed or Professional services and how we can support you on your mission.

Thank you for reading and any comments or recommendations are always welcome.

Joel