Refining the MSSP Model

The traditional Managed Security Services Provider (MSSP) business model is being challenged by circumstances and new modes of security outsourcing. The volume and severity of threats make the MSSP status quo less tenable. This, certainly, is what Tony Velleca, CEO of CyberProof, found as he launched his business.

Cyberproof is an outgrowth of UST Global, the IT services provider. Cyberproof came into existence because UST Global repeatedly encountered dissatisfaction with MSSPs among its clients. Their positioning on the inside of IT operations gave Cyberproof’s founders unique insights into what companies really wanted from a security provider.

“We’re quickly moving past the time when a business simply wanted to check a box that said, yes, we’re complying with regulations because we have a security monitoring service,” Velleca said. “The threats are too real today. Box-checking is useless. It’s getting harder for MSSPs who only provide that minimal service to demonstrate value.”

Tony Velleca, CEO of Cyberproof

Velleca also observed that some MSSPs are overly opaque. “They’re like a black box. Their alert response playbooks are proprietary, so the client may not understand why they’re getting alerted about an event or what the MSSP is doing about it.”

The Cyberproof approach has been to build its own platform, one that can integrate with the client’s existing SecOps capabilities. They are transparent. “We don’t want to be in the black box business,” Velleca added. “We develop a playbook that works for the client and implement according to a flexible service model.”

From there, Cyberproof adds an integration with the XM Cyber automated testing toolset. We’ve written separately about XM Cyber and its “Purple Team” continuous red/blue attack simulation software. “With these tools, we can offer the client a real time picture of their vulnerabilities and really work on managing cyber risk,” Velleca said. “We work with the client to think in terms of risk and facilitate a thought process where they allocate resources accordingly.”

The company has developed risk scoring processes to help clients identify risk areas with high potential financial impact. In addition, they deploy algorithms for automated event response playbooks. With these added services, Cyberproof is at the forefront of refining the MSSP business model.