SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Managed service providers: effective scoping to avoid costly vendor pitfalls
Tue, 17th May 2022
FYI, this story is more than a year old

Cybercrime is one of the most pervasive and destructive threats to business, costing billions of dollars each year. Organisations can never be entirely secure, but they also need to not live in a constant state of fear about safely using digital systems. By instilling a strong culture of cyber awareness, implementing a range of industry best practices, and engaging subject matter expertise on how to structure and protect systems, companies can establish an optimal security baseline.

Managed security services are outsourced services focusing on the security and resilience of business networks. Organisations engage partners to monitor and respond to security incidents, providing cybersecurity controls and expertise for complex business environments. The service complements internal security measures while adding redundancy and a safety net of industry experience that improves an organisation's risk posture by sharing knowledge and responsibility.

Choosing the right managed security services partner (MSSP) and scoping the project effectively are two essential elements in achieving strong returns on the investment in this relationship.

Entry-level managed security services include around-the-clock firewall monitoring, antivirus and malware protection. Companies working in sectors with specific regulatory requirements may add penetration testing and disaster recovery drills to comply with stricter security benchmarks. Larger enterprises and government organisations may engage multiple MSSPs to layer in additional fencing, distribute loads, and provide bespoke resourcing based on unique needs.

There are four elements organisations need to understand to scope their needs accurately:

1. Cyber risk exposure. This will determine what tier of managed services is needed for safer operations.

2. Valuable data. It's important to identify the sensitive data that could lead to financial and reputational damage in the case of a data breach.

3. Systems. Understanding which systems are vulnerable to common types of attack and where gaps in expertise or technology exist will let the business determine where the immediate needs are.

4. Assets. It's important to audit assets, including physical, logical, and environmental components such as networks, computers, virtual appliances, data centres, and other ICT systems.

Thoroughly documenting and communicating the complete security requirements of an organisation before even calling an MSSP is key to both coverage and cost-effectiveness. Scope creep happens too often, usually when there is a lack of clear communication between organisations and MSSPs. To avoid this, organisations should develop an explicit scope statement at the outset.

Both parties need to be on the same page from the very beginning, with expectations cemented in service level agreements and a constant feedback mechanism that closes the loop on iterative project work. When entirely reactive, projects can easily become more expensive and time-consuming than originally anticipated, compromising productivity and trust.

The best way to avoid scope creep with any managed service provider is by front-loading effort in the planning process before any work begins. With cybersecurity, in particular, every minute spent planning before deploying to a production environment is worth an hour down the line. The evaluation process before engaging a managed security services provider should address this comprehensive outline of requirements.

With agreements in place, proposed security services can then be defined and structured with that holistic view of the landscape, preventing time and cost blowouts that inevitably result from rushing the all-important scoping process.