MSSP – what should they be capable of?

If you are looking for technical support, especially when it comes to business and cybersecurity, for your business or organisation it can at times be fraught with danger.   How can you tell the good ones from the bad?  How do you know you are getting the best advice?

When it comes to outsourcing your ICT to a managed service provider it can be just as confusing.    More so when you are talking about cyber security, protecting your business data and building a secure business environment for your staff and customers.

To most organisations, the decision to keep the management, operation and reporting of your ICT security component in house or outsourced will depend considerably on how good your staff are, how much money you have and how seriously you consider the business, customer and staff data that you store and protect.   With cyber security there is no margin for error.   Like other disciplines in the ICT world the professional security team are a critical component of your business and in the future they will probably become a lot more important.

Your security requirements will depend on a number of internal and external criteria.   Your organisation and business ICT security requirements have to be based in the real world.   Your chosen MSSP or in-house staff has to be more than one dimensional, they have to understand all of the business requirements for YOUR business and also how to protect each component, they are not there just to implement and install the firewall, they are there to implement change, deliver understanding and most of all protect YOUR business.

A good MSSP delivers brilliant service because they are, or have on staff, the “jack of all trades, master of none” type of attitude and capability.   They have skills across the board from technical to business analysis, from business continuity to patch management.   They have an understanding of how you do business and how to protect that business from the ever present cyber problems.

Like the legal world there are experts, a general legal practice is fine if you want to fight a parking ticket but if you are buying or selling a property you need a conveyance solicitor, if you have broken the law you need a professional defence solicitor to keep you out of jail.   In most situations both of these focused individuals could be part of the same firm.

This is how a good MSSP works, they will have a firewall expert, a patch management expert, policy and procedure expert, backup and disaster recovery expert and a compliance expert.   As a business, in the business, of protecting your business they have a need to cover all of these situations under the umbrella of cyber security.

To make sure that you are talking to a reputable Managed Security Services Provider (MSSP) this is what you need to look for.    Here are 6 areas that they need to have some type of understanding.

Situational awareness

There is an old school of thinking from the 80’s called situational leadership, it is when you put a person in the role of leader because he has some level of experience with the job to be done.   This can be applied to most businesses today.   In today’s world we get professionals to do what they are good at for your business, accountants and solicitors readily come to mind.

For some reason when it comes to security and business ICT there is a reluctance to employ experts in the fields of cyber security.    The reason behind this could be that everyone thinks they know how to protect their information.   In today’s cyber attack rich environments, this can be devastating to a business.   For a good MSSP to function it needs to have some level of situational awareness to what has happened previously, where the next attack can come from and where they are likely to come from.

In addition to the level of situational awareness throw in a need for understanding a crystal ball or some level of clairvoyance and, most importantly, a high level of paranoia.    Paranoia is a healthy component of business security, in cyber space everyone is literally after you.   This combination ensures that the MSSP that you employ is going to be able to give you good advice, explain the reasoning behind it and how that good advice can be implemented across the business.

Adaptability

An MSSP needs to be able to adapt to change.   Look at the changes in business culture and ICT that has happened over the last 12 to 18 months,   Tablets and smart phones have changes the business landscape, cloud has become the catch cry for moving to an operational expense model and we now have targeted and self-destructing viruses.

You MSSP need to have the ability to adapt and change to cover these technological implementations for your business.   They need to adapt to change to deliver the correct cyber security model to your business.   Without the ability to adapt to different types of situations and the changes in the technological landscape the provider will not deliver the level of protection that most businesses demand

Agility

Another component of the MSSP’s repertoire is to have the ability to change direction and also protect themselves while they are doing it.   They need to be agile with technology and business as well as understanding your requirements within your business.

The agility of the MSSP will ensure that your business is getting the best available support and business protection that is available.   They will keep you informed of the changes, latest threats, better ways of doing things and what would be the best way to implement those changes to the betterment of your business.

Skills

The skill level of the MSSP needs to also reflect your business requirements.    It needs to ensure that you are not only getting the right information and support but you also need the intangibles, the soft skills that make working with them productive and easy.   It is no use having an MSSP with very good technical skills without the ability to convey the right information to you the client.

The skills have to also be across the board, remember jack of all trades, well when it comes to the required skills the security supplier’s business needs to have the correct coverage of all of the fields but with experts in these positions.   A good security provider will also have people backing up in other fields to create a meshed environment that will protect YOUR business from attack.

But all the skills in the world will not create a secure business environment if the client, you, is not willing to listen.   When it comes to human nature, most businesses will listen to their accountant, will discuss situations with their solicitor, will get their fleet of vehicles managed by a fleet management company but when it comes to ICT and business security they will go it alone.    Just what they read on the Internet is fine according to a large number of management teams and business owners.

An outstanding problem is that most MSSP organisations have a bad rep when it comes to conveying your business requirements and the process of protecting them to you the manager or owner.   Businesses find it hard to communicate with ICT personnel, they find that recommendations from ICT are usually Rolls Royce solutions when a boxed Chardonnay would have solved the problem.   Furthermore, most businesses find that a security fix involving technology is going to be an expensive process.   Sometimes the Rolls Royce solution is the only solution but management needs to know that and need the options to make information based decisions.

Maturity

A good security provider will have the maturity in the market place to ensure that your business is getting the best support available.   The business does not necessarily have to have been around for a long time, but the people involved have to be have been in the industry and in their field of knowledge for a decent amount of time.

ICT changes rapidly and knowledge in the required fields can change.   There are some fields in ICT that, up to 2 years ago, were not thought of, had no training and may even have just been hypothetical.    There are others that have changed little but have new catch phrases.   Distributed computing was around when I was working in defence in the 80’s, it is now called CLOUD.   Similar or same concept but so far apart in technical knowhow that the newbies in the ICT industry think they invented it.

Maturity can be a double edged sword.   On one hand knowledge of security principles, experience in security processes and an understanding of the impact on business is critical but knowledge of technology is not necessarily so important.

Commitment

A good MSSP is committed to supporting your business.   That commitment can be monitored in a number of ways.   Business Security is something that needs to be at the front of everyone’s mind and to that it has to be seen and touched.   What I mean by that is that everyone in the business should have some level of participation in the security of the data that they are handling.

To do that can be difficult but an MSSP will achieve it in the following ways:

  • Management reports
  • Training sessions
  • Auditing and intrusion logs
  • Weekly, monthly, quarterly and annual meetings with management to review business requirements and capabilities.
  • Information supplied to board meetings.

The commitment required by the security provider will enable your business to flourish under their protection, but you are not leaving it to chance.   Your expectations are that they will keep you informed where security can fit into your business direction.    Your board or management team should hear from your security provider not “you cannot do that because it is insecure” but ” yes you can do that but you have to put these processes / technology / audit requirements / systems in place to make it work”

Finally

For most small and medium businesses and not for profit organisations business security is something that is thought of only when it comes up in the news: I.E. a new virus, a large enterprise being hacked or political unrest through a hacking group.   They do not think to apply a security framework to their business to ensure that all of the data held within that business is safe.   Most of the time security is a knee jerk reaction to something happening, something being read or something being said.

All businesses need to have some level of compliance with industry and government regulations.   If you are holding other people’s credit card details, you collect private information on your clients or you are taking online payments then your security needs to a lot more robust than a business that doesn’t.    The problem is that with the advent of social media that the line between some of these requirements has blurred and management and organisations need to step back and look closely at what they need to do to protect that information, before the theft cripples the business.

If you want to step back and look at the whole of business security requirements that you need to implement ASAP then call your local MSSP.   If you are not sure then contact us and we will help you or put you in contact with someone who can.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.