Should your MSP manage your cyber security?
We’re often asked whether we think an organisation’s Managed Service Provider (MSP) should be responsible for their cyber security. Initially it may seem like a question with a simple answer, after all they’re responsible for the overall IT delivery, so surely that should incorporate cyber security?
As will most questions, the answer is a lot more nuanced that it may first seem – for a start, even when everything is kept in-house, organisations may have a separate cyber security team to their IT team, with the Chief Information Security Officer (CISO) reporting to the CEO, or they may be a single team under a Chief Information / Technology Officer (CIO/CTO). Add outsourced organisations to the mix and it becomes more complex as to what the right answer is for your organisation.
To help organisations consider what may be best for them, we’ve put together a list of pros and cons to consider when deciding whether your MSP should also be your cyber security service provider. Here we’re talking more specifically about the detection and response and SOC (Security Operation Centre) capabilities, as opposed to broader ‘MSSP’ services, such as managing firewalls, VPNs and other security tools.
Pros of your MSP managing your cyber security
The main benefits of an MSP managing their customer’s cyber security come in the simplicity of supplier/partner management:
'Single throat to choke' for all IT issues – having one partner to deal with can make life simpler, both when things go wrong, with less opportunity to pass on the buck to a 3rd party, and when things go well, with one organisation to build a strategy alongside. This benefit can become more or less pronounced depending on what (if any) other services you get from your MSP – for example, if you get most of your IT services from your MSP then you won’t have to worry about managing too many suppliers and so the benefits of having them look after cyber security will be less significant. However, if you have multiple suppliers for your broadband and connectivity, hardware, software and overall IT services then it can be beneficial to rationalise (but we'd recommend rationalising the transactional services first).
Economies of scale – naturally, the more you spend with a supplier, the more leverage you should have with that supplier. Therefore, there can be a benefit in purchasing more of your broader IT services through one provider. However, as we’ll come onto under the ‘cons’ section, it’s worth being considerate about which services you procure from a generalist provider; in general, it’s best to keep these services transactional (such as broadband, hardware and software) where less expertise is required. Equally, whilst spending more money with a provider may make you 'more important' to them, it's worth considering the size of that organisation – if they're a large organisation then any spend increase may be insignificant to them at a single customer level.
Supply chain security – a hot topic in the news at the moment (and for the foreseeable future), clearly the less suppliers you have, the less risk there is from supply chain cyber-attacks. However, what’s more important is who will be targeted – it’s much more likely to be an MSP or software provider (and a large one at that) than a cyber security organisation, mostly because they’ll generally reach more organisations and are likely to be less secure than a company that is built around cyber security. The National Cyber Security Centre (NCSC) shared guidance on this a few years’ ago that is still relevant today; identifying MSPs as one of the biggest threat vectors for certain attackers. Indeed, Reuters spoke about the 'race to hack service providers' off the back of the successful Kaseya attack last year.
'Secure by design' – Depending on the level of service your MSP provides (versus an in-house team), combined with their capability and quality, there may be benefits in having the same company work with you on your IT and cyber strategy, together. In theory this should allow you to work with the ‘secure by design’ principle more easily. However, in reality, the IT and cyber experts should be different people in the MSP’s organisation and yours, meaning that there’s still plenty of room for the reality to slip away from the theory. There’s also the likelihood of an internal conflict of interest and priorities, explored in the next section.
Cons of your MSP managing your cyber security
We’ve touched on a couple of the disadvantages within the advantages (we told you it was nuanced), but there are some more pronounced cons of having your MSP also look after your cyber security, namely:
Conflict of interest – There are two parts to this – one being that you don’t know how your MSP’s P&L’s (Profit & Loss Centres – mini business units internally) are managed, there’s a good chance that cyber and the MSP business will be separate P&L’s, with different P&L owners fighting to grow their individual business, even if they’re ultimately managed by the same Director or finance team. Internal politics can cause a conflict of interest, especially as the business strategy could favour one over the other, giving you a watered-down service in one aspect. The second part is:
'Marking your own homework' – another conflict of interest is the fact that if the MSP is providing security monitoring for the organisation that they manage the IT of, they may uncover potential security risks caused by their own setup, which could put a bad light on their delivery ability, or even be a breach of contract. A good provider will be completely open with this (and run regular external checks to spot them), but it’s all too easy to try and hide the mistake and fix it quietly – this may work 95% of the time, but with cyber security, all attackers need is a small window to exploit. It's also never easy to tell the internal structures, to bring back the first bullet point – the IT and cyber teams could be completely different teams within the MSP, with different priorities and ways of doing things, reducing some of the benefits of consolidation. As an example, at e2e, we never run penetration tests on ourselves or our customers and always use an external provider to truly test our and our customer’s monitoring capabilities – the goal is to improve any weaknesses and the overall security of the networks, not pat ourselves on the back.
Specialist vs. generalist – Whilst an MSP providing cyber security services will, of course, have specialist cyber security professionals, having a specialist provider means that everyone dealt with is an expert in cyber security and only focused on that. Whilst IT generalists work well for the nature of an MSP’s role, cyber security is not something you can afford to have anything but the best people, processes and technology supporting you with. Another way to think of it is that MSP’s are, by definition, service delivery experts, but bringing a service delivery approach to cyber security is only looking at a small part of the challenge, with greater need for flexibility due to the nature and speed of unknown attacks and need to investigate different types of potential incident that something like ITIL is simply not built for.
Reduce reliance on a single provider – The flip side of having a single throat to choke is that over-reliance on one organisation can also be a risk: a single point of failure. If your MSP is providing multiple services then it becomes riskier to the continuity of your business should they have any troubles, be that financial or in their operational performance.
In summary, at e2e we always recommend that organisations separate their IT and cyber security providers (including those in-house, which we’ll explore at another time). Whilst there are undoubtedly benefits to having fewer suppliers, we believe this is better left to more transactional services, such as those mentioned above (broadband, hardware, software etc.).
We only specialise in cyber security and, more specifically, SOC-as-a-Service and all things detect and respond (whatever MDR/XDR acronym you want to throw at it!) This allows us to be experts in what we do, not generalists, which when talking about cyber security is critical – the attackers are experts, so why wouldn’t you want the defenders to be?
However, we do recognise that there are benefits in the relationship between an MSP and SOC provider and so we work with a number of MSPs, cloud providers and systems integrators to provide joint services – still in two separate organisations, but effectively working as a single service, with reduced risks (including removing the conflicts of interest amongst others).
To find out more about the companies we partner with, visit our Partners page.
It’s also worth considering having an even clearer cut between your MSP and SOC provider, the challenges can be in finding the right partner – one who has shared goals, where their financial performance improves as customer’s security does (and the customer’s costs improve as their security does). We’ll explore this more in a follow-on guide, also looking at the different options available, from doing it all in-house to fully outsourced with hybrid models in the middle.
If you’d like to discuss any of the points raised in this blog, fill out the form below and one of our experts will be in touch.