Before I start I want to be clear, I work for an MSP/MSSP in Brisbane, so before all of the rest of you, MSSP's and MSP's throw me under the proverbial bus read my article and understand what the point I am trying to get across here first. Then if you still want to do that then go for it.
I am a regular attendee to security events and meetups as I feel that I need to learn as much as I can from any source I can, it makes me a better person by always looking for the learning opportunity in every situation or interaction. Over the last few months, I have started to pick up something that troubles me somewhat though, a trend in response to the general question in professional socialising events or meetups.
Where do you work? Or What do you do for a living? Simple questions that we all get asked in many different situations but when I answer that I work for an MSSP (Managed Security Service Provider), I get a sort of negative reaction from some of the people I talk too. I thought this was a little strange, so I started to ask why this was so? (To be honest, I think I made a few people a little uncomfortable with that question, but I think it was necessary to get to the bottom of the cause). After some encouragement from me, I started to get a similar answer to my enquiry and it was basically this "MSSP's are just after their next sale, they don't really want to help. They just want to sell the next shiny thing in security and make their sales quota".
The first time I heard this response I was a little surprised, in the organisation I work for that is not what it is all about at all. We got into the security arena as we were concerned about our customer's businesses and the effect that a large-scale breach could cause. That's why I was hired in the first place to make things as secure as we could. So, as you could imagine I was a bit thrown back by that statement, but I then got the same response from a couple of other people I talked to about this.
This was what people thought about MSSP’s and it made me a little angry if I am being honest. I have since done some more research and there is a trend where MSSP’s keep just pushing solutions down the throats of their customers and potential customers to meet ridiculous targets set by their organisation’s management. This is not what managed security services is supposed to be about.
I believe that managed security services are supposed to be about much more than sales, it is supposed to be about giving businesses who do not have a need or the resources to put on a full-time security team on, access to one and for that team to make that business more secure. We are supposed to give them access to skills and resources normally only available to large enterprises with large budgets and even sometimes be an extension to those security teams when the need arises.
This scenario is made possible as we spread the costs of training our teams in high demand areas that are hard to come by but make it a much more palatable cost than doing it individually in each organisation. It is more cost effective and it is easier to get access to different skill sets as needed. This model allows MSSP's to offer enterprise-grade services to small businesses not just the bigger end of town.
Now this idea that businesses need to just throw money at security and the problem will go away is ridiculous and this needs to stop NOW. Don’t get me wrong sometimes you do need to throw money at a problem to get it under control but that should not be the standard response for every security issue. We as MSSP’s need to stop and talk to the organisations and really listen to how they operate on a day to day basis. Consider how security is handled and firstly change behaviour so that a business can help protect themselves from mistakes that could be easily solved by just making them aware of the underlying risks that are accompanied by an action or process.
Teach the clients to be better and do better before throwing money at the problems, this on many occasions just Band-Aids the problem and in some cases doesn’t actually do anything at all to help. Just to put everything out on the table so to speak, yes MSSP’s are businesses and need to make money in order for us to still exist and provide the described services to our clients but do it in a professional way and don’t gouge your clients. Charge reasonable prices for good quality services, its pretty simple and something I feel we do at Davichi, but this isn’t just about Davichi it is about the industry as a whole.
So, all you MSSP's out there reading this, pull your head in and do the right thing by your clients and the rest of us in the industry trying to do the right thing by our clients. We can all still make a good living out of providing these services, but it will hopefully stop me having to have these awkward conversations with random strangers.
As per normal tell me what you think, disagree if you like and tell me your side of the argument it will be best for everyone if we can air our dirty laundry. MSSP’s will all sleep better at night If we can or at least I think I will.
Till next time…