MSSP – Yes or No?

By Curt Kwak, Chief Information Officer, FCHIME, CHCIO, MBA

Cybersecurity is in everyone’s mind these days. The stakes are getting higher and the cybercriminals are getting smarter and smarter. The question is, are we truly equipped to protect our data and our organization from these cybercriminals?
The days of installing a free version of McAfee or Norton Antivirus that you receive at conferences are way behind us as the complexity and the tactics we are observing are truly clever but also very frightening. Many companies also lack the personnel (both man power and expertise) to properly managed the cyber environments that they are tasked to manage.
Of course there are tools and technologies that will help, but even then, it takes time & resources to evaluate, analyze, build a business justification, receive approval, then the hard task of procuring and actually utilizing the tool as designed. This of course is with hope that it’s enough for now. Is it truly enough?
We are currently drowning in terms like EPP (End Point Protection), CASB (Cloud access security brokers), Privileged account management/protection, MFA (Multifactor authentication), Sandbox, Ransomware/Malware mitigation, Advanced threat detection, etc.. They all sound great, right? But the big question is, what is right for you and your organization? What is too much and what is not enough? These are the questions the IT leaders face day in and day out.
In my industry (healthcare), we are confined by strict regulatory requirements to ensure patient privacy. The cybercriminals know the value behind healthcare data and that is why healthcare is targeted so frequently. I have received many pitches from many companies about how they can mitigate these risks. However, the bigger question is, how do we navigate this world of limited resources and technical cybersecurity expertise to truly make effective use of these tools?
One avenue could be to look at managed, professional security services. Specifically, “MSSP”, or Managed Security Service Provider. This type of service can provide true SOC operations (security operations center) without having to invest in technology, people and facilities. In some cases, the cost of engaging in an MSSP is a small percentage of the cost of building your own security operations center. With the MSSP, you can obtain services like and MDR (Managed Detection & Response) that will help with alerts and mitigation when potential issues are detected. In my opinion, this is the “trench” in which the battle begins.
However, before you even bringing up terms like MSSP or MDR, you need to ask the tough question, “where is cybersecurity on our priority list?”. I certainly hope that you can confidently answer this with a “high”? Once you do, your next task is to educate and discuss the importance with your stake holders. I have witnessed way too many IT professions who cry foul because their organizations don’t prioritize cybersecurity. However, I do wonder how these concerns are actually communicated to the stakeholders.
Is it in a threatening manner? Does it come out as a scare tactic? Or do they actually take the time to build stories and reason and with proper solutions so that the stakeholders have the confidence that you have done your due diligence? Thinking globally and strategically for the organization you are supporting, versus certain individuals going through their own check list as a security professional, right?
Do this before an incident actually occurs. Be proactive and don’t blame anyone if an event occurs. It’s no one’s fault and the key is to learn from the incident to be better and be more diligent about cybersecurity. We all know that a silver bullet doesn’t exist out there. We also know that this is not just a technology issue, but people issue, probably majority of it. So what does the overall Security Program for your organization look like? Education for your employees (to not click on that temping link?), or how about the culture of the organization, to be more mindful of what you access and how you communicate? Then a strategy around how you can supplement these human behaviors with technology to help improve the workflows (filter spam to decrease your time on email, as an example) while protecting the data that you are managing?
Can you do all this on your own? Will your organization invest in such a large practice? Can it afford to? Or, is an MSSP the right answer?
The bottom line is that we all need to do a better job in manager our cybersecurity perimeter. The question becomes, what makes the most sense for yours and my organization?
Best of luck to all of you and happy cyber hunting!