Podcast: What to look for in managed security service providers
Welcome to the first episode in our podcast series, "Into the Sphere."
Podcast: What to look for in managed security service providers
In the premiere episode of Into the Sphere, hosts Amy Lane and Mark Tierney talk to cybersecurity leader, Joe Krull, about what to look for when assessing managed security service providers.
Amy Lane: Welcome to our first episode of Into the Sphere. My name is Amy Lane.
Mark Tierney: And I'm Mark Tierney.
Amy Lane: And we'll be your hosts as we explore various topics in the cybersecurity and IT world. Our goal is to provide you with tips, tricks, and tactics on topics circulating the cyber world. We'll even bring in some of our friends and trusted leaders to help dissect these topics. Thanks for listening. This is into the sphere. Hi, Joe. Thanks so much for being here today and being our first guest on this podcast.
Joe Krull: It's an honor, it's a real pleasure to be here.
Amy Lane: I want to talk to you about the topic of managed security service providers or MSSPs. As many people know it, you have over 45 years in the security space, but MSSPs are a fairly newer service to organizations. Can you talk a bit more about some of the trends you are seeing in this space?
Joe Krull: Absolutely. And the fact that you said that the MSSP is really a, a new service in reality, it's not. If you go back to way back to 1997, there was a company called US West, which was the phone company, and they decided that security was a value add. So they put checkpoint firewalls out at their clients and managed those firewalls. That was really the first iteration. And shortly thereafter in 1999, somebody that's well known in the security space, Bruce Schneider, created counter pain in 1999, which really was the first full service mssp. Now, those first generation MSSPs were probably a lot less successful than you would expect, because it was too early to the market. A lot of organizations were reluctant to put their security in the hands of an organization outside of their own. But we've gone through several iterations. But now the good news is the MSSP is here and it's going to stay here.
Mark Tierney: So, Joe, one of the things we want to start with today is to talk about the market trends and what you are seeing in the MSSP world and sort of what is current and a little bit about what is coming forward in the future here.
Joe Krull: Absolutely. So I, I study the MSSP space quite a lot as an industry analyst previously, and also working for a large technology company. So MSSPs have been very close to my heart, but the current trend today is we have a lot of MSSPs, probably over 600, that are, you know, out there. Only the top two 50 really get followed by the industry because there's just so many companies out there. The trend was that a lot of organizations, a lot of entrepreneurs set up MSSPs and they really did it on a shoestring, and they were trying to get market share, and they realized the complexity of trying to run an MSSP in the sense of building capabilities, investing in, new service offerings software. But the real weak link for them was access to talent.
Joe Krull: It's really, really hard to staff a security operations center. It's hard to get security engineering support because we just don't have enough professionals in the space. If you fast forward to 2023, the big issue for MSSPs will be access to capital. They need money to grow, they need money to survive, and very few of these companies are wildly profitable. Many are just getting by. So when capital becomes restricted, what is the natural outcome? A lot of mergers and acquisitions, and in 2022, over 150 million and deals were done in the MSSA MSSP space. If you're a consumer of an MSSP, if you have a relationship with one, you can wake up on Monday morning and find out that company doesn't exist anymore or it's been acquired or it's gone out of business. And this is the trend that is going to flavor the rest of 2023.
Mark Tierney: You mentioned earlier about access to talent. Do you see the market responding in any way to that? Do you see clients or customers and businesses moving more towards that MSSP model to get that access to talent? And how do you see the market changing to adjust to that?
Joe Krull: That’s really the operative question, Mark. That's where we are; we're past that net knee-jerk reaction of saying, well, I'll never give the responsibility for security to an outside company that's de facto today. That's the solution, because these companies can no longer build and retain top talent. And at the same time, they want to offload things that are not their core business. So if they're manufacturing widgets or they're producing feature films, they don't want to invest a lot of money to build these capabilities and maintain them. They would rather look for a partner to do those things and do them well so they can focus on their core business.
Mark Tierney: Yeah, that makes a lot of sense. Going a little bit off from that topic, I know you've traveled the six continents, and have a global fan base. Of course I have that Barry White Radio voice. I think Marketing's expecting Joe Rogan-like expectations out of this podcast. But I want to talk about some of those things that people probably find are very interesting. Like, one of those things might be the ChatGPT and some of the AI and ML. And how do you see that impacting some of the MSSP world?
Joe Krull: You can't open a tech publication or even a mainstream newspaper today and not see about ChatGPT. It's been all the rage, but in fact, AI has started to enter the security space already. A couple of years ago, there were some bold claims made by certain companies that they are AI powered or AI driven. A lot of it was basic learning, but we've moved up the tech stack and now, and we're seeing real implementation of AI capabilities for the defenders. But at the, on the same, in the same vein, you also see the attackers starting to use AI capabilities. There were some theoretical issues of being able to produce malware using an AI engine to do that. So if the attackers are leveraging ai, we need to stay one step ahead of that. And unfortunately, as has been the case my whole career in security, we always seem to be a step behind.
Mark Tierney: Couldn't agree more. One other related topics, in terms of the outsourcing aspect, is holding CISOs more responsible on some of the recent events out there, in terms of their responsibilities and obligations or even criminal liability, and what this means to customers?
Joe Krull: Great question. And one that's on the mind of a lot of CSOs today in the sense that the case of the former Uber CSO who was actually convicted of a felony, because of the way that a breach was handled and was maybe less than transparent he could have been. Today every CSO must look in the mirror and say, “Am I going to be subjected to the same level of scrutiny? Are the decisions that I make and the things that I do going to hold up in the court of public opinion? Is it going to satisfy my customers? Are people going to take my decisions to the extreme and say that I have been negligent?”
But I'll be honest with you, it's not just chief information security officers. We're seeing the trend to hold all C-level executives responsible for their actions. We saw this, certainly, in favor of Sarbanes Oxley, which was supposed to implement more controls. It really didn't result in too many C-level executives being held accountable. But I think in 2023, we're going to see more and more scrutiny, more and more accountability, and everything that a chief information security officer does will have to be defensible.
Mark Tierney: And that's true. Is that true, both federally and on the state level and even internationally with things like GDPR? Do you see anything happening there?
Joe Krull: There are so many pitfalls you can get hit with as a CSO today. You can have a breach, which is obviously one; you can have a privacy violation, which results in significant fines or sanctions, or you can just make a boneheaded error, which would have a state Attorney General breathing down your neck saying, “Why did you do this? Why did you place our citizens at risk?” We like to refer to those in security slang as RRGs or résumé generating events.
Amy Lane: Do you think regulations will help MSSPs, or do you think it will hinder them in some of the ways that the regulations changing?
Joe Krull: I've always seen regulation as an opportunity, because sometimes you can't get people to do the right thing. They will pay lip service to protecting data or protecting customers. But really, if there's no skin in the game, if there's no regulation. Obviously financial services is the top of the heap. It's heavily regulated. So you have rules and guidelines and minimum standards that you need to follow. But when you move down the stack into like education or manufacturing or unregulated industries, then it gets really difficult because it's your word against leadership's word. And they're always looking at how much money they are spending on security and is it enough or is it too much? I think a regulated environment gives a security professional the opportunity to have backing and to navigate that crucial role of being the defender of data.
Amy Lane: In 2021, you wrote a paper—you were with IT group—about the security management partner there. You discussed organizations and why they outsource their cybersecurity program and how it could potentially fail. Can you go into a little bit more detail about that paper and what your perspective on that was?
Joe Krull: Sure. That was based on interviews with a lot of consumers of MSSP services, heart-to-heart conversations with chief information security officers and chief information officers. And really, the number one failure point was that the service organization treated their MSSP as a vendor and not a partner. What do I mean by that? In that it became very confrontational. They treated the MSSP as they would any vendor in the organization. Well, you know, you didn't do exactly what the contract said, and you're not giving me what I expect. And there was no expectation management being performed. And if you treat your security partner the same way you treat the folks that run the outsourced cafeteria, that's going to end up—you’re going to get into a situation where you can't rely on either side of the equation.
Joe Krull: So that was the number one point of failure, because the client expected a certain level of service, but they were treating their vendor as a vendor and not a partner. The next piece of that was that the MSSPs didn't really provide a service-level offering where they really felt like they could tell the client, “We recommend you make some fundamental changes in your security program,” or, “Here are some things that are coming down the pike, which will have an impact on your organization.” It became very transactional, and this is where MSSPs, I think could have stepped into the game and been more of an advisor as opposed to just someone who processes transactions or alerts to different anomalies on the network. It's more than that. You have to have a partnership.
Amy Lane: So the mindset really has to be equal on both sides of the partnership. Exactly. The client has to feel a certain type of way about the MSSP that they've hired, as well as the provider needing to express their interest in their client understanding what they need in a business. Correct.
Joe Krull: It's a bidirectional trust issue; the client has to trust the MSSP, and likewise, the MSSP has to trust the client. And if you don't have that, you start off your service initiation in a very, very bad way, and it doesn't get better over time.
Mark Tierney: Would you say that trust is enhanced or impacted any way by the view that MSSP has at the organization?
One of the things we like to consider is having that comprehensive view of all the data that comes in, having that complete security look. Do you think all MSSPs try to do that or do they look at certain portions? Do you think that affects the relationship at all?
Joe Krull: It does affect the relationship, and I'll give you a perfect example. I served a number of years ago as the interim CSO for a large pharmaceutical company, and we invited, or I invited a representative of the MSSP to sit physically in the staff meetings to learn what are the new business objectives, what are the challenges that we were having in the organization, and I made them a part of the core team of information security. And that way there were no surprises. And I think that no surprises should be written on the T-shirt of anybody that is involved in an MSSP relationship.
Mark Tierney: You mentioned earlier in the conversation about the acquisitions and naturally what's happening and a ton of activity last year and even moving forward into 2023. If I'm a business and, and that's happening, what are the things I should look at if I'm transitioning to a new or looking for a good partner there? What, what should I be doing?
Joe Krull: That's a great question. I think paramount as you start to look for a partner in the security space, the first thing you need to look at is do they have understanding and capability with businesses in my vertical market? Do they understand financial services? Do they understand healthcare? And if not, then I'm going to be getting a very basic service where they don't understand the unique requirements of my business. If I tick that off and I move on to the next thing I'm looking for, what are the service capabilities? What can I expect? What's issued as part of the, of the service? What can I call on them to do and what costs extra if I need value added services? So I need to control my costs. And as part of that equation, the third piece of that is what is the viability of this company? Are they fully funded? Do they have strong investors? Is this, something where they're living from month to month, they're having difficulty making salaries, they can't acquire new talent because they're cash strapped. I think that should be in the top three things you consider when you engage in MSSP.
Mark Tierney: All right. My final question on the topic of the future quantum computing, can you just give us a little bit of your of your thoughts on quantum computing, how that might disrupt the, the MSSP world these days and in general, the cyber world?
Joe Krull: Yeah, that's obviously something that's top of mind for me, kind of as a, a futurist in the technologist today. But, we've seen a lot written about quantum computing. We've seen a lot of theoretical, we've seen a lot of things coming out of research institutes and universities, but I'm here to tell you that it's real. We're now seeing practical application of quantum computing, and it's not an issue specifically for the MSSP. This is a global issue that's going to affect cybersecurity as a whole. When quantum computing reaches the capability and maturity to break the RSA algorithm we are in for some difficult times, we're going to have to re-engineer everything we do, and this is going to be a huge impact on financial services or asymmetric algorithms or, you know, they're the, the lifeblood of protecting data. And I know that the National Institute of Standards and Technology is looking at post-quantum algorithms, but they're way behind the game.
Joe Krull: I heard anecdotally that one of the candidates for post quantum was broken by someone with a basic laptop because rather than attacking the algorithm directly, they found a vulnerability in the administration of that. So if we're still finding these vulnerabilities late in the game, and we're working against a timeline where quantum computing could be real in the next three or four years, then we really need to step up our game. And every organization should have at least a strategy to say, what are we going to do to rotate off of these, vulnerable algorithms? Or how can we move our data into a protected enclave where fewer, applications and people have access to that sensitive data. This is going to change our industry in a very big way.
Mark Tierney: All right. I said final question, but now this is my final, final question. Looking forward a decade from now, what percentage of businesses do you think will be working with MSSPs?
Joe Krull: Yeah, that's a question I get a lot and I have a very strong point of view. In five years from now, if you are not working with a security partner, you're going to be an outlier. Because based on all of the factors that I've touched on, plus a few more in the fact that it's very, very difficult to run a top performing security team, even in mid-size or even smaller, large organizations, you're going to have to rely on outside parties to help you. And it's a force multiplier. You, you're going to be able to, instead of have the power of a 50-person security team, you could use a core group within your organization of a small number of people to manage the day-to-day security reporting upwards, doing compliance reporting, working with auditors and things. But the heavy lifting can be done by a partner. So if you're not doing it in five years, you're really going to be an outlier.
Mark Tierney: Outstanding. Joe, thank you. It was a great conversation. We really appreciate your insights and your time today.
Joe Krull: My pleasure.
Mark Tierney: Amy, what did you think?
Amy Lane: I thought the conversation was great as well, Joe, thank you so much. You provided some wonderful takeaways for our listeners learning that an MSSP should be a partner, not a vendor. They should have knowledge of their industry and also the viability of the company. You want to make sure that that MSSP can continue to provide those services in the long haul. If you have any questions or would like to recommend future guests or topics, feel free to email firstname.lastname@example.org. Thank you for tuning in and we'll catch you next time on Into the Sphere.
More from The Sphere Blog
Helping to identify the intersection of people, process, tools and budget for optimal risk control.