Managed Security Service Provision, the convergence between business and technology

Following a panel session I had the pleasure in participating in at the Seventh Annual Cyber Physical Convergence Forum London 2023, last week here are a few thoughts stimulated by a discussion on Managed Service Providers and their role as agents of convergence between technology and the business.

The general consensus was that Managed Security Service Provision (MSSP) can be seen as a convergence between technical and business acumen.

The interpretation of MSSP in this context refers to the outsourcing of security services to a third-party provider who manages and monitors an organization’s security infrastructure and systems. In this context, both technical expertise and business understanding are crucial for the success of an MSSP.

On the technical side, an MSSP must have deep knowledge and expertise in various security domains such as network security, endpoint security, vulnerability management, threat intelligence, incident response, and more. They need to understand the intricacies of different security technologies, tools, and frameworks to effectively protect their clients’ systems and data.

At the same time, an MSSP must possess a strong business acumen. They need to understand their clients’ business objectives, industry regulations, and risk appetite. By aligning their security services with the clients’ business goals, they can provide customized security solutions that address specific needs and challenges. Additionally, they should be able to communicate effectively with executives and stakeholders, explaining the value of their services in business terms, such as risk reduction, regulatory compliance, and cost-effectiveness.

Successful MSSPs combine technical expertise with a business-oriented approach. They not only deploy and manage security technologies but also analyse the impact of security incidents on the clients’ business operations and assist in making strategic decisions. They often provide reports, metrics, and insights that help clients understand the security posture of their organization and make informed risk management choices.

However not all MSSP’s are born equal. The specific type of MSSP can influence the degree of convergence between technical and business acumen. MSSPs can vary in their focus, scope, and the range of services they offer. While technical expertise is foundational in all cases, the extent to which MSSPs incorporate business understanding and strategic guidance can differ depending on their specialization and the services they offer. For example:

• Technical-Focused MSSPs – These primarily emphasize technical expertise and specialize in managing and monitoring security infrastructure and systems. Their primary goal is to ensure the proper functioning and security of the client’s IT environment. While they may provide some level of business-oriented reporting and metrics, their main focus is on technical aspects such as threat detection, incident response, and system hardening.

• Compliance and Regulatory MSSPs – Their focus is on helping organizations achieve and maintain compliance with specific industry regulations and standards, such as PCI DSS (Payment Card Industry Data Security Standard) or HIPAA (Health Insurance Portability and Accountability Act). In addition to technical security services, they possess in-depth knowledge of relevant regulations and compliance requirements. They help clients implement the necessary controls, conduct audits, and generate reports to demonstrate compliance.

• Strategic and Advisory MSSPs – Some go beyond technical operations and provide strategic guidance and advisory services. They have a strong business acumen and work closely with their clients to align security initiatives with business objectives. They may offer services such as security risk assessments, security program development, security governance, and executive-level reporting. Their goal is to assist organizations in making informed decisions, prioritize investments, and mitigate risks in a business context.

• Vertical-Specific MSSPs – Then there are those who specialize in serving specific industries or sectors. For example, there are MSSPs dedicated to healthcare, finance, government, or retail. These MSSPs possess industry-specific knowledge, understanding the unique security challenges and regulatory requirements of the sector. They provide tailored security services that address the specific needs and compliance concerns of their target industry.

So knowing what the nature of the MSSP you are engaging is critical as this type of supplier relationship often means outsourcing converged responsibilities . This typically means that an organization is delegating the management and execution of integrated or unified services to an external service provider. This allows the organization to leverage the expertise of the service provider in delivering a comprehensive solution.

However, while the responsibilities for managing the converged services may be outsourced, the ultimate accountability for the outcomes and performance of those services typically remains with the organization. In other words, the organization retains the responsibility for ensuring that the outsourced services meet their objectives, adhere to any contractual agreements, and align with the organization’s business requirements.

Accountability in this context means that the organization is answerable and responsible for the overall success and results of the converged services, even if the day-to-day execution and management of those services are outsourced. The organization must actively monitor the service provider’s performance, assess the effectiveness of the services, and take necessary actions to address any issues or gaps that may arise.

Maintaining accountability is essential to ensure that the organization’s strategic objectives are met, risks are properly managed, and compliance requirements are fulfilled. It involves establishing clear expectations, setting performance metrics, conducting regular assessments, and actively engaging with the service provider to ensure alignment with the organization’s goals.

The attraction is that MSSP’s can offer consistent performance and provide a single point of accountability, often referred to as “one throat to choke.” This concept emphasizes the convenience and reliability of having a single service provider responsible for managing and securing an organization’s IT infrastructure. While an organization can outsource converged responsibilities to single service provider, it cannot outsource the ultimate accountability for the outcomes and performance of those business lines the services support. The organization ultimately retains the responsibility for overseeing, evaluating, and ensuring the success of the outsourced services.

Ultimately, MSSPs can provide consistent performance and act as a single point of accountability by leveraging their expertise, establishing SLAs, offering 24/7 monitoring and support, centralizing management, providing incident response capabilities, and managing multiple security vendors.  To deliver comprehensive security services that protect organizations’ assets while aligning with their strategic objectives and risk appetite. This approach helps organizations streamline security operations, enhance performance, and simplify the process of holding a single provider responsible for security outcomes.