While the advantages of outsourcing are plentiful, there are still a number of things to consider before signing on the dotted line with an MSSP.
It’s important to understand that MSSPs do not eliminate security costs. Organisations still need an in-house chief information security officer (CISO) for the MSSP to report to and coordinate with. While MSSPs offer security expertise, they are meant to supplementan in-house own security team, not replace it.
An SLA is crucial when it comes to outsourced providers. Many MSSPs will provide a generic, standard contract with pre-set terms to quickly expedite the closure of the contract and allow services to begin to manage the risks with security control operations. This can be helpful, as many outsourcing providers have expertise in this field.
However, where an MSSP relationship is concerned, a one-size-fits-all approach is not the best. Instead, discuss the needs of the organisation and develop remediation steps ahead of time, before things stop working, so both parties know who is responsible for what and the prescribed course of action. Developing those roles and responsibilities up front will limit chaos if an issue arises.
“While MSSPs offer security expertise, they are meant to supplement an in-house own security team, not replace it”Greg Temm, FS-ISAC
The biggest concern that keeps companies from outsourcing their security is the risk of exposing sensitive data. For many businesses, allowing outsiders to handle this type of information is simply not an option. This is why a detailed SLA is essential to an MSSP relationship to maintain confidentiality and ensurethe organisation islegally protected in the event of a data breach.
To mitigate these risks, it’s important to research all potential MSSPs before choosing one to outsource with. There are plenty of providers and each will have a slightly different approach.Organisations should take the time to ensure a provider will meet their needs and thatthey can trustit with sensitive data.
As with any relationship, communication between an organisation andaservice provider is crucial to ensuring both parties are getting what they need. Choosing an MSSP is not simply about signing a contract and then writing a cheque.
Having regular relationship meetings with the provider that focus on the review of transferred risks, controls developed to mitigate risks and key metrics to determine acceptable management of transferred risks keeps everyone on the same page.
When things go wrong it’s important to talk frankly about the issues, expectations and what both parties can do to work together to make it better. Go back to the contract and make sure that both parties understand what is written. Too often, a wall will be built between both sides and the relationship will quickly deteriorate. When this happens, things usually get worse not better.
For things to go well with an MSSP, it’s all about the relationship.Organisationsthat do their part to keep the relationship strong through clear communication, reasonable terms and documented expectationsare more likely to have a positive experience.
To learn more about recommended cyber security controls for the financial services sector, outsourcing best practices and other important cyber issues, register for FS-ISAC’s EMEA Summit in the Netherlands, on 1-3 October 2018.