Anthony (Tony) Sabaj is currently the Director of Channel Security Engineering for North America at Check Point, with over 25 years of experience in the Cyber/Information/Network security. Tony has been at Check Point since 2002 in a variety of sales and technical roles. Prior to joining Check Point, Tony was a Senior Product Manager at Telenisus, a startup MSSP/VAR in Chicago. In 2001 the MSSP business of Telenisus was sold to Verisign to start their MSSP business and the VAR business was sold to Forsythe to start their Security Practice. Tony joined Forsythe shortly after that acquisition as a Security Consultant and Certified Check Point trainer. Tony started his career with Arthur Andersen/Andersen Consulting, building their worldwide IP network, designing the security controls for the firm and helping build their external Security Consulting Practice.

In this two part interview series, Tony Sabaj discusses the adoption of Managed Security Service Providers (MSSPs). From a discussion of whether or not to outsource security in the first place, to the pay-as-you-go model, to MSSPs’ service level agreements, this interview provides premium cyber security insights. Did you miss part 1? Click here.

In what types of circumstances are organizations better off keeping cyber security in-house?

Any organization can benefit from varying uses of MSSPs. It may be a full outsourced solution, just incident response retainer services or somewhere in between. In my experience, I see less use of MSSPs in very large and highly regulated industries; finance and energy for example.  However, MSSPs exist specifically for these market segments.

What should MSSPs consider as they choose security solutions for clients?

MSSPs need to be able to deliver security solutions with more expertise and better efficiency than an organization can do in house. To achieve this, the MSSP needs to develop a security platform, security processes and be able to deliver them consistently.  MSSPs need to be experts in the tools and products that they utilize.  An MSSP cannot be cost effective by delivering solutions with a myriad of tools.  They need to base their solutions around a core set of security solutions to enable them to achieve the operational efficiency required.

How can MSSPs ensure that security solutions increase revenue and minimize churn?

One trap that I see MSSPs fall into is trying to be everything to everyone. By taking that approach, an MSSP loses the economy of scale and just becomes an outsourcer or staff augmentation solution, which can be a successful business model, but not an MSSP business model.

What are your thoughts on pay-as-you-go consumption models when it comes to cyber security for MSSPs?

The pay as you go/consumption/OPEX model is a key element of the value of an MSSP. The MSSP has already made the initial investment in creating a security delivery platform and can deploy these solutions repeatedly for their clients.  Organizations today are shifting to consuming technology on a consumption basis in general. IaaS (Infrastructure as a Service for public and private cloud), SaaS (software as a service), PaaS (platform as a Service), SDWAN (Software Defined WAN), SASE (Secure Access Service Edge), to name a few, are mostly consumption based solutions.  An MSSP that is delivering security for these solutions needs to deliver them in a consumption model.

 A few points that organization should consider when choosing/exploring MSSPs:

• What value is the MSSP providing? Are they offering a service that is more efficient than doing it in house?
• Do they understand your business and regulatory/compliance requirements? Can they provide sufficient audit documentation to satisfy these requirements?
• Do their SLAs (Service Level Agreements) match or exceed the organization’s SLAs/requirements? In the event of a security incident are the processes documented, agreed upon and known by both parties? Is the MSSP providing incident response services (XDR)? During a security incident is not the time to learn this process.

Most organizations can benefit from the expertise and efficiency that an MSSP can provide.  The use of an MSSP could range from just providing email SaaS security or managed detection and response services to a full suite of managed security services that encompass most of an organization’s security program. Organizations are still ultimately responsible for the security of their organization, but the right MSSP can be a valuable partner for organizations.