Scaling a Security Program with MSSPs
By Jeffrey W. Brown, CISO, Life & Retirement, AIG
Outsourced information security services and managed security services providers (MSSPs) are a necessary component of most cybersecurity programs. Even large-scale financial institutions with fully-staffed internal security teams tend to have at least forensics and incident response experts on retainer in case internal teams are not enough to respond to a large or sophisticated attack.
Security costs are skyrocketing and talent is still in extremely short supply. This is a global problem that only seems to be getting worse, even with new talent entering the industry every day. Qualified applicants that are affordable are even harder to come by, as even some junior and mid-level jobs are well into six figures, especially in urban centers. Indeed.com estimates that most security analyst jobs start around $80,000 and go up from there. The skilled hands-on workers are in short supply and are commanding higher salaries. Could MSSPs help fill some of these gaps?
MSSPs are being used for everything from monitoring the security operations center (SOC) to handling the top job of CISO-as-a service with the rise of virtual CISOs (vCISOs). In the vCISO model, everything up to and including the top job can be outsourced. vCISOs can also simply “fill in” by providing leadership to your existing security team, interfacing with senior management and the Board or by filling in as an interim CISO while a permanent candidate is being sought.
Outsourcing the top security job typically only makes sense for smaller companies. Having a senior executive with the overall responsibility for security who also has a seat at the business table is important. There are also risks to a complete CISO outsource, as you can create the perception that security risk has also been outsourced when the responsibility sits squarely with senior management and the board of directors.
In a model that could perhaps represent the future of cybersecurity, you can look at how General Counsel’s or Chief Legal Officers (CLO) operate at many companies. The legal problem faced by many corporations does bear some resemblance to security in that the problems are complex and the talent to address the problems is expensive. The more specialized the talent is, the more expensive it will be to bring them on board internally. Think of hiring an industrial patent attorney with deep expertise in China who can speak both English and Mandarin. There are very few of them, they are probably already employed and they will command a high salary. Sound familiar?
"MSSPs can be used to extend a team, refocus a team on more important tasks or completely replace an internal team"
To handle this problem, some companies have put in an experienced strong generalist in place as CLO, who then reaches out to a variety of external organizations on a regular basis and specialty and boutique firms as the need for specific expertise arises. In this model, the CLO has a small team or no team but does retain a seat at the business table and a budget for bringing in the right talent at the right time to handle the organization’s changing needs. It is cost-effective, scalable and fast to implement with a single senior corporate executive responsible for the overall function and how it is performing.
Applying this model to cybersecurity would actually have some advantages in that CISOs would be able to focus primarily on strategy and business alignment, organizations could keep costs down and resources could be used more on an “as needed” basis rather than staffing a full team of security professionals who are there “just in case.” Send out the ultra-specialized work like forensics and also the commodity work like monitoring and basic assessment work. Focus instead on the value-add activities and partnering with the business.
MSSPs can be used to extend a team, refocus a team on more important tasks or completely replace an internal team. I am not advocating immediately outsourcing your entire security function, however. Like most complex problems, sometimes a thoughtful hybrid model meets the need more effectively than solutions that offer all or nothing. Ultimately, there is a balance to strike in terms of what you keep in house, what you outsource and everything in between. There also needs to be a lot of attention to performance metrics, service level agreements (SLAs) and overall costs (e.g. can something be done cheaper and better in house?).
MSSPs could allow commodity and even specialty work to be outsourced and could allow access to more advanced tools and expertise than you already have in house. If done right, it could also provide these benefits with a net cost savings in some cases.
Just remember though, you can’t outsource security risk. That’s still very much your problem and why you might well want to keep the things that matter most to you under your direct control.