When an MSSP is too much for your small business
January 05, 2021
Cyber Security
There's something that doesn't feel right about most small business MSSP relationships. MSSPs, for those that aren't familiar with the term, are managed security service providers.
The origin of many of these engagements is fine and reasonable. When a small business operator knows that they should be doing more on the infosec/cybersecurity front, but doesn't want to hire a CISO or other security specialists, engaging an MSSP seems like a logical step. But, what happens next, is "too much" on many dimensions. Here's our perspective.
Too Much Opacity
The standard MSSP pitch is that they'll "take care of" infosec for your company. That they'll get your systems all protected with the latest and greatest tooling. Intrusion detection. Intrusion prevention. Patch management. Data loss prevention. Threat intelligence.
But if you didn't have a CISO in the first place, and all of this (and more) goes 100% off your plate to the MSSP, are you involved enough to even keep up with what exactly the MSSP is doing for you? Most small businesses that engage an MSSP quickly find that they feel "out of the loop" on what exactly is going on with their infosec systems and tooling. And that's a bad place to be.
Too Much Technology, Not Enough of Your Team
This section title might have caught you off guard. Is Havoc Shield really against bringing a full suite of technology into play, to defend small businesses from cyber attack? No. No, we aren't.
However, you should be suspicious when an infosec/cybersecurity plan feels like it's all going to magically happen behind-the-scenes without the involvement of the actual humans that do all of the jobs inside of your company. Those folks need training. They need phishing simulations. They need a gameplan for what to do about suspicious messages. They need an understanding of the "why" behind policies such as using a business-grade password manager instead of letting the browser remember the password. Cybersecurity involves humans -- ones that work with you, and for you... and ones that you work for (we've heard more than a few stories about CEOs and board members falling for cyberattacks).
Many MSSPs take a very tooling-heavy approach to security, and although the tools may be fine, no security program is complete without a heavy dose of involving the team in making a positive difference towards the company's security. Heightened awareness throughout the company is your best line of defense when the automated tools aren't enough to fully keep the cybercriminals away.
Too Much in Parallel
Ever take your car to the shop and come out with a list of twelve things that need fixing? Or have your home inspected only to find out that a dizzying array of repairs are needed? Or buy a new gizmo only to find out that there are four really enticing accessories that also feel necessary?
It's information overload. And (dare we say it?) it's a bit suspicious. Are there REALLY twelve things wrong with your car, so wrong that they need immediate repair? We're not so sure.
We've got the same thought, when an MSSP shows up and tells you that there are twelve things you really must do right away for your security. A more balanced approach (rarely seen) is a prioritized approach that surfaces a couple urgent items, a few others to consider over the course of the next few months, and a longer list of things to consider on a more relaxed timetable. That's the theory we followed when we designed the Havoc Shield platform. When you sign in, you shouldn't expect to find twelve tasks assigned to you for urgent completion. You should expect to find one, maybe two or three. But not more. Improving your cybersecurity posture is a marathon, not a sprint.
Too Much in Misaligned Fees
Project-based and hourly fees have their place. There is nothing wrong with having a service provider whose fees are driven by the talented people who are exerting effort on your behalf. Almost every company has that type of relationship with a lawyer, and probably an accountant. But do you really need hourly-based professional services to implement security training (for example)? At Havoc Shield, we'd say you don't. That element of your security strategy should be point-and-click in a web portal, with automatic invitation emails rolled out to your team. With links that they can click on at their convenience, to take online/digital training, that is then logged in an audit trail in case proof is ever needed.
But, for MSSPs whose business model relies on generating some additional professional services fees, it would be easy to fall into the trap of paying an hourly rate for a professional to prepare and deliver a PowerPoint style training session to your organization. And in almost all cases, that's more expensive and time consuming than just using something like the Havoc Shield platform to trigger a companywide training initiative.
Wrapping Up: When MSSPs are Too Much for Small Businesses
MSSPs are not inherently "bad" -- they can be a helpful part of a broad cybersecurity/infosec program. But, many companies would be better-served starting out with Havoc Shield. Our purpose-built platform feels approachable, and is set up to make it easy to self-serve your next couple cybersecurity priorities -- involving you and your team so that you know and understand "what's next" -- and giving you a very predictable fee structure that helps you make a lot of progress without racking up professional services fees. We're standing by, ready to serve you.