Gartner defines a Managed Security Service Provider (MSSP) as one that provides outsourced monitoring and management of security devices and systems. These security devices and systems may be one of many point solutions that offer features for firewall management, endpoint security, intrusion detection, vulnerability management, virtual private networking, policy and compliance, governance, and so many more. Finding the right partner that offers the correct amount of security assurance is key to the question “is a managed security services provider right for your organization”.
So how do you know if an MSSP is right for your organization? This is where things get exciting and a little more involved in exploring this seemingly simple question. In technology and information security we always refer to the changing landscape and how things are different that they were some number of years ago.
It reminds me of a recent song that was released by a country music artist by Sam Hunt, entitled “Breaking Up Was Easy in the 90s”. The theme of the song is that because of all our connected technologies these days, we can’t escape the truths that used to be hidden. The song depicts the dejected boyfriend pretending that he was simply out when she called, or that she was home alone much like him at the time. But in this day of social media and technology following a breakup, everyone knows almost instantly what everyone else is doing, including the exes.
So how does this relate to your organization and determining if an MSSP is right for you? It’s simply an anecdotal reminder that our organizations evolve at a rapid pace, often times with business leaders throughout the organization making decisions that impact not only the productivity and efficiency of the organization, but ultimately the profitability and sometimes the security of the organization. Technology is so embedded into everything that we do personally and professionally, and ties into so much information throughout the organization concerning people, processes, and often times protected information that there is a need to be extra vigilant about how this data is managed day-to-day. Ultimately the responsibility for protecting the digital assets of the organization lies with senior management, and so carefully evaluating the organization’s capabilities to provide data governance, and information systems security management is crucial to avoiding becoming a statistic in today’s technology world.
Too often we hear comments that “I’m too small to be targeted” or “why would anyone care about my little organization”. Unfortunately, it’s not about the size of the organization, but rather how easy it is for a threat actor to evade an organizations’ security protections, or lack thereof. You see, successful threat actors are opportunistic and will find the low hanging fruit that will yield easy profits.
If we consider all of these as general areas to consider in relation to whether or not an MSSP is right for your organization, we can really start to zero in on areas of need by asking some more detailed questions to help uncover or highlight opportunities for strengthening the organization through a partnership with an MSSP.
- Is the organization regulated by a specific security framework such as HIPAA, PCI DSS, DFARS/CMMC, GLBA, FINRA, NYDFS, etc.?
- Does the organization have an appointed security/privacy/compliance officer?
- Do you currently perform a regular risk assessment of the organization, its systems, and the data which it processes?
- Does the organization have clearly defined data owners that help to classify the sensitivity of the information being processed, and its flows in and out of the organization?
- Does the organization have a set of security policies that are reviewed at least annually, and part of onboarding procedures for all employees and third-party contractors?
- Does the organization foster a culture of security awareness that includes regular training, reminders, and a system for reporting concerns about information and system security?
- Does the organization perform third party due diligence for upstream and downstream partners that may handle sensitive data?
- Does the organization have a mechanism for tracking vulnerabilities that impact the systems utilized by the organization whether on-premise or hosted externally?
- Does the organization prepare plans such as disaster recovery, business continuity, or incident response plans that include tabletop tests and continuous improvement?
While this list may seem long, it just scratches the surface of some of the high-level items that security professionals are charged with evaluating and addressing for an organization. Being able to answer these questions ensures that someone is responsible for developing and managing the information security program for your organization, and they are able to communicate the progress and status of that program and its objectives in real time at any time.
Information Security/Technology Security is focused on understanding the business value related to the digital assets of the organization which is often represented by systems and information. As any business owner today will tell you, there is a significant investment that is made in the systems and data processing equipment. This information and data being processed is most likely more valuable that those systems. The key to information security management, and where an MSSP can bring value to your organization, is correlating the value of these systems and data to the appropriate safeguards and controls to ensure their confidentiality, integrity, and availability to authorized stakeholders.
Much like breaking up was easier in the 90s, so was protecting the systems and data of most organizations. As we’ve become a more globally connected digital world, the tactics and techniques of our adversaries have changed, and so much our approach to protecting our systems and data. In some cases, it may not be feasible to insource to a team that is providing value to the organization in other areas. By leveraging a Managed Security Services Provider, you can tap into the expertise of a partner that will bring to bear professionals versed in policy and compliance, assessments, awareness and training, blue/red team drills, and developing scoped and tailored controls for safeguarding your organization’s systems and data.
If you are unsure to some of the questions posted earlier, or just have general thoughts and questions about the topics covered here, feel free to contact our team at Axxys Technologies, Inc. We welcome the opportunity to discuss your specific needs and how we may be able to assist with our team of professionals, just let us know how we can best serve you.