bankingciooutlook

Why we need MSSP? Managed Security Service Provider & the quest for cybersecurity experts

MarekTrebicki, Cyber Security Services Risk & Control Associate Director, Standard Chartered Bank

MarekTrebicki, Cyber Security Services Risk & Control Associate Director, Standard Chartered Bank

'A business basis'

Be it an enterprise or a small business, these are the two professionals you absolutely need to have – an accountant and a lawyer. One could think they don’t need to be involvedif the business isn’t mature enough.In fact, there are people who manage to grow their business effectively without appropriate consultation and support from these professionals, not knowing what approach would have worked best for their situation. Would that be blessing, luck or simply underestimating the opponent? We won't understand how much it could be messed up in those areas until someone, with premeditation or not, discovers and uses flaws. This therefore may result in extra expense, either having to re-register or to keep maintaining a business with badly managed financial or legal matters. Or, it may as well be too expensive to straighten out. 

'Information Security' being companies’ top priority in post-pandemic era

How about your company’s exposure to global cybersecurity threats, particularlyin post-pandemic era? Is the information your business collects, stores, and processes safe? Same as accounting and law traps, no matter the size of your business, cyber criminals await your dissociation. Tones of home-grown hackers, but also experienced professional teams with prepared tactics & techniques,are looking for opportunities to exploit your data for their financial gain. How would you evaluate your business information value including sensitive data i.e. personally, identifiable information (PII), Personally Identifiable Financial Information (PIFI)? or protected health information (PHI)?

“Considering engagement with MSSP and its perfectly crafted services we can expect protection within strictly agreed boundaries and processes; no more, no less”

According toa cybersecurity research by IBM, it takes 280 days to find and contain an average cyberattack and the cost of such an average attack stands at $3.86 million*. And still most of these attacks will be undetectable without human involvement. Cyber Defence strategies applied by organizations differ, from one who finish engagement on newly purchased Firewall to ones who ensure continuous improvement. Other takes unambiguous steps. FSO - Russian agency responsible for the Kremlin security decided to avoid cyber related risks and is buying typewriters**. Our risk assessment may however provide other possible recommendations,especially if the organisation must remain interconnected. How about the security services? 

Managed Security Services & Security Operations Centre

When referring to Managed Security Services (MSS), most people imagine them as sort of Round-the-Clock Security Operations Centre (SOC). Cybersecurity-related services, however, go way beyond that and areconstantly becomingincreasingly complex. Core services around Security Incident and Event Monitoring (SIEM), threat and incident response would be just one of many areas where MSSPs are welcomed with their competencies and capabilities. Several MSSPs with different service portfolios constantly rally to invent, update, and smoothly run perfect stack. Their standard comprehensive out-of-box services may potentially address major cybersecurity risks for small firms, making MSS the perfect choice.

However, what may be perfect for small businesses, usually doesn’t match the needs of bigger companies. Due to several different factors, and not always strictly financial ones, SOC together with basic security services are still mostly provided in-house. Companies decide to ramp up their own teams to deeply penetrate organisation without any unnecessary compromises, i.e. providing external parties with access to sensitive information or having to modify processes to let external experts in. Such an approach would be justified and especially crucial if MSS interactions clash with core business activities or become too noticeable. In addition, Internal Security Services may be also tied with different functions or processes across the organisation. But even then, specific MSSs are still being delivered to address niche areas not covered internally yet or where there’s no will to maintain them internally. At the end of the day we are still left with residual risks to be mitigated - potentially with tailored, sophisticated services delivered by specialised MSSPs. 

Establishing a successful service

Apart from operational model delivered by internal or by MSSP, Security team shall be the first to know infrastructure perimeters, onboarded cloud services as well as all integrations and interconnections with third parties to secure it from day 1. It shall be also clearly stated what information, systems and processes are most criticaltoallow the service to be aligned with business needs. Such a configuration puts SOC in a great place to become an orchestration platform for other internal and external services. For instance, Software Development Life Cycle (SDLC) with application code reviews, application assessments or even security related training for developers could be one of many cherries on the cake. Another great example is DDOS protection required constantly but used occasionally against actors who are about to paralyze our connectivity or services. 

'Everything is perfect, but there is a lot of room for improvement.'

Considering engagement with MSSP and its perfectly crafted services we can expect protection within strictly agreed boundaries and processes;no more, no less.

What if we would like to accompany it with other contestants' services?Could we expect to have it managed in a similar way as by an internal/central team? There could be a bit more space for service flexibility and customizations. How about disrupting the status quo, moving away from the typical closed siloes model to one that would be more open to collaboration? Improvedinteractions across MSSPs could bring a breath of fresh air. Transparency that is being celebrated by open source would uncover weaknesses andincrease healthy competition.Service flexibility and orchestration opportunities surely could bring more business trust and appetite for MSS.

The summary

It is often a question if MSSP is the best solution for organisation at the time or may be security department is justified already. On the other hand, hybrid configuration may be worth consideration to ensure security and flexibility at the same time. The decision-making mechanism is not much different from any other form of outsourcing, where at the end of the day (usually) time and money matters mostly.

Nonetheless, let's keep recognizing cybersecurity threats, risks and strategy, not only as something attached to IT or Security team initiatives,butmake them applicable to the whole organization, from intern duties to boardroom processes.

 

 

Weekly Brief

Top 5 Digital Banking Companies in UK - 2021

Read Also

Data Analysis in Storytelling: Common Mistakes

Data Analysis in Storytelling: Common Mistakes

Albert Chin, Head of Model Risk Management, Signature Bank
 Revamping Regulatory Practices with Innovation

Revamping Regulatory Practices with Innovation

David Cowland, Head of Compliance Operations, Fidelity International
Managing Risks Through a Transformation to the Digital Era

Managing Risks Through a Transformation to the Digital Era

Dan Bailey, SVP, Operational Risk Management at Gateway First Bank
Optimized Processes Enhancing VCs

Optimized Processes Enhancing VCs

Ben Marrel, Founding Partner, Breega
Why didn't you know about this?

Why didn't you know about this?

Aaron Rykowski, SVP – Chief Compliance Officer, WesBanco Bank