When it comes to cyber security there is an elephant in the room that no one talks much about… it’s a problem of the “haves” and “have-nots”–Those that can afford to have advanced cyber security and those that are not willing to pay for advanced cyber security controls.
The top 10k large enterprise companies in the US have been using advanced cyber security tools and services for many years and they spend up to 9% (*) of their IT budgets defending their enterprises. In fact, JP Morgan announced it would spend half a billion dollars on its cyber defenses in a year.
The upper middle market in the last few years has begun to get serious about advanced cyber security as well but this sector does not want to pay those enterprise prices hence the Managed Security Services Provider (MSSP) model became prevalent and spread their security analyst manpower over a series of accounts to get efficiencies. The problem is that even the MSSP model is too expensive for most small to medium businesses (SMB).
What is a SMB to do when their customer demands they do more advanced security if they are going to work with their data…? What is a SMB to do when the industry or government makes compliance requirements that mandate advanced security controls or suffers fines? These SMB’s look around and see there very few security people in the market they can afford to hire and the tools cost a fortune. So, these SMB’s are stuck. The first place they turn is to their Managed Services Provider (MSP) who currently manages their desktops, backups and anti-virus installations. These MSPs installed the network, their Office365 installation and the “managed” firewall so they must understand security… right? Well… Its more complicated than that…
To build a successful security practice, a MSP need to understand business risk and the controls necessary to minimize that risk. The MSP needs to understand Processes, Procedures and Plans that can manage the controls. The MSP needs to understand liability (first and third party). They need to understand industry compliance mandates and what it means to be a ‘covered entity’ (HIPAA, DFS) and why it’s necessary in some cases to sign a business agreement (*) where the MSP takes on some risk. …and then… The MSP needs to understand the tools to put in place to manage these risks.
This world of risk is a different world than most MSPs live in today. Today’s MSPs are great at productivity and disaster recovery and remediation but corporate risk is new to most of them.
Most MSPs today are great at deploying security tools such as anti-virus, anti-malware, web application firewalls, IPS/next-generation firewalls and even services like OpenDNS. When it comes to more advanced security tools such as a Security Information & Event Management (SIEM) System, Intrusion Detection Systems (NIDS/HIDS) and Vulnerability Scanners it’s not enough to deploy a tool—the customer needs the MSP to manage the tool for them. The customer needs the MSP to use the tools to ensure the company both meets the compliance demands AND stays safe. The customer would also like help with penetration testing, vulnerability assessments, logical access policies, incident response plans, disaster recovery plans, encryption policies etc.
To occupy this new position that customers are desiring from their MSP unfortunately the MSP may have to go out and buy expensive tools and hire expensive talent. But then they find themselves in the same bind as the current MSSPs out there—their services are too expensive for their customers. So, what is the MSP to do? They may lose the account to another third party if they can’t figure out how to offer these services.
There is a solution. MSPs will solve this dilemma for the SMB marketplace in combination with the new Managed Detection and Response (MDR) service community. The new MDR space overlays a great deal of automation and cloud computing on top of the old-school security services. Some call this new world “Security as a Service”. If the MSP can deploy the service (usually installing a HIDS endpoint on servers and desktops, installing sensors and pointing devices such as firewalls and routers SYSLOGs to the sensors) and deal with the issues as they arise there can be a marriage made where the MSP can truly become more efficient and useful than any MSSP because they are already great at remediation and they understand the customer’s business. The MSP can be the front-end interface to the customer and the MDR vendor can be the MSP’s tier II SOC (Secure Operations Center).
We would still encourage the MSP to learn the finer art of risk management as it relates to security and to also partner with advanced firms for when a serious breach occurs (i.e. Command & Control software stealing sensitive data or Ransomware encrypting all the company’s assets). Other companies to partner with would be cyber law firms, cyber insurance firms, penetration testing firms and those organizations that handle corporate policy.
NetWatcher is a MDR company located in the Washington DC Metro area with clients all over the US. We work with Managed Services Providers all over the US and our mantra is “we turn MSPs into Managed Security Services Providers”.
NetWatcher provides their MSP partners
All we ask in return is that the MSP have 5 customers up and running within the first 120 days of onboarding.
MSPs that invest in enterprise sales (both account managers and technical sales engineers) do the best job at building and effective managed security practice.
Here are the questions an MSP should ask about their firm before they start to invest in offering managed security services to their customer’s: