The Appeal of Managed Security Services for InfoSec Policy Implementation

Should you engage with a Managed Security Services (MSS) provider? This was a question I posed to Terry Jost, Principal at Ernst & Young’s Advisory Services at RSA 2018. Terry, who came up through the ranks at IBM before joining EY, offered a variety of insights into how to best answer this question.

Terry Jost, Principal, Advisory Services at E&Y

“It is really about principles,” he said. “What are the principles that guide your business? If you’re clear on those, then it’s relatively simple to determine the right security policies—and from there, you can start to figure out if you’re best served by an MSS.” As an example, he cited privacy. “If privacy is a key principle in your business, meaning it’s absolutely critical to your strategy and value, then you will build strong policies around privacy.”

Jumping from policy definition to policy enforcement

“Jumping from policy definition to policy enforcement, however, may take an MSS,” he added. “Of course, it depends on the organization and many factors. These include cost, complexity, speed of solution delivery and people. It may require extended time periods to select, procure and yber security solutions. “With an MSS, you accelerate the securing your business… with an instant ‘step level improvement of cyber security hygiene,’ so to speak: Protect data, scan and protect networks, manage identities and authentication… an MSS can start with these core solutions supporting your cyber policies right away.”

Jost has worked with many organizations in determining whether in-house or MSS is the best approach. In his experience, mid-market corporations are great candidates for MSS, though large enterprises also have many of the same challenges and benefit from augmented solutions. Finding the right people, for example, can be a major headache. Vendor management is also an issue. “Sometimes, a company will be excited by a security tool and buy it, only to struggle with the inevitable admin burden that comes with it,” Jost said. “It’s like having a pet, , it requires nurturing and feeding. ”

Good for the basics

Managed Security Services are good for the basics, according to Jost. “If you have very sophisticated needs, you may need to do those in-house, but you can make that your focus and leave the basics to the MSS,” he said. “Then, you alternatives and avoid having to to do it all yourself. You can develop important competencies and recruit the people you need for specialized cyber roles without having to worry about managing, staffing and operating every aspect of your SecOps.”