MSSPs
Cybersecurity as a Service:
Meet the Advanced MSSP Taking on Vendors
Is the age of multiple vendors coming to an end? Next-generation managed security services provider CyberProof thinks so. Lucy Ingham hears from Adrian Bisaz, VP of sales & business development EMEA, about the company’s vision for the future of corporate cybersecurity
Businesses are more aware of the threats posed by cyberattacks than ever, and corporate spending is slowly following. But that doesn’t mean that it’s getting results.
“Even the big guys are coming to the conclusion that it's too difficult, it's too complex: I'm spending way too much money, I don't get what I want, I still have breaches,” says Adrian Bisaz, VP of sales & business development EMEA at CyberProof.
“If you look at these curves on how much the industry spends on security and how many incidents happen, they both go up. So something is wrong and we have to do something about that.”
While some companies are using managed security service providers (MSSPs) and others have chosen to build their own solutions using a selection of vendors, the problem is the same: for many companies, cybersecurity is simply not proving to be an effective return on investment.
The problem with cybersecurity
CyberProof was established by IT outsourcing provider UST Global, after conversations with existing customers – mostly Fortune 100 companies – highlighted a key issue with the space.
“They all played around with cybersecurity in one form or another and some of them have outsourced it, some of them have tried to do it themselves,” says Bisaz.
“The ones that have done it or tried to do it themselves, they realised that it's a lot more complicated than they probably want it to be and it is becoming more and more complicated.”
Among many larger companies it has become commonplace to run cybersecurity operations entirely in-house, assembling solutions from a range of vendors. However, Bisaz likens this practice to building a house yourself, where as the project progresses it proves more expensive, complicated and challenging than it initially seemed.
“After four or five iterations you say 'OK, if I would have just given it to somebody who knows what he's doing it would cost me less time and probably less money at the end of the day',” he says.
“The managed security service providers weren't really able to demonstrate the value to those companies.”
Others have turned to MSSPs, but these have often proved to be similarly challenging.
“The managed security service providers weren't really able to demonstrate the value to those companies,” explains Bisaz.
“So a lot of companies told us: 'well we outsourced it, but we don't really know what we get. We still have breaches. We still have issues. We have tons of information, nobody does anything with it'.”
This, says Bisaz, has led to a lot of companies returning to self-management of cybersecurity once their three-year contract is up, leading to a “position of dissatisfaction” in both cases.
Meet the advanced MSSP
As what it calls an “advanced MSSP”, CyberProof believes it has the solution to this problem.
“When we set up CyberProof we said 'OK, what is it that we need to change?',” Bisaz says.
“There's a couple of dimensions that you have to look at: what people do you use in order to provide the value? Where are these people located? What processes do you use? How efficient can you make the information? And then what are the pieces of technology that you bring in in order to provide you with the information that is relevant for a company?”
CyberProof’s solution was to build a cloud-based platform that brought together top-tier cybersecurity expertise, day-to-day operational management and local knowledge.
“We set up this new model of operating out of a cloud, leveraging the greatest technologies that we think are really providing value, integrating those technologies and then creating a collaborative environment,” he says.
“[This involves] people that have really deep nation states-type security expertise out of our center in Israel; very hands-on lower cost capabilities out of India [and] regional local resources that have the capability of understanding what the data that is important for the particular customer.”
“The mean time to respond is minutes, it's not weeks or months like the experience that many of our customers have with their traditional MSSPs.”
There is also support from more artificial sources.
“We've even enhanced it by putting some machine technology in it, so our best analyst, his name is SeeMo,” he explains.
“He is an artificial bot that is part of that collaborative environment and can replicate tasks that he sees happening all the time or can access information in a way that an analyst would have to open up another screen and then find.”
This combined approach is designed to dramatically up efficiency and accuracy, while keeping costs low.
“I think two things that separate us: it's efficiency in the way we do it and accuracy in the way that we provide the information to the company,” says Bisaz.
“You can never be at 100% coverage, but the goal that we're setting ourselves is knowing that everybody is going to be breached at some point in time, the mean time to respond is minutes, it's not weeks or months like the experience that many of our customers have with their traditional MSSPs.”
The future of cybersecurity?
For CyberProof, the hope is that this approach will become the model for cybersecurity in the future for all but the biggest companies.
“I could argue with anybody about the benefits of leaving the specialists to do what they do best and having each company focus on their prime problem,” says Bisaz.
He argues that this approach is simply following other aspects of the business that have been outsourced as companies focus on their core competencies.
“Today few companies do their own printing. They're outsourcing it to somebody because it's not their core business, and security is the same thing,” he explains.
“It's not a core business for 99% of the companies. Why waste time trying to do it yourself if you can have somebody that can provide you with the highest level of quality at a price that makes sense?”
“It's just a matter of economics and return of investment.”
And price may prove to be the most compelling reason for many companies to make the switch.
“If you want to do 24/7 supervision today in an operation, you have to have at least 14 people to make it work: 14 people 24/7 monitoring. You have to find the right people,” he says.
“You can get a 24/7 service from a company like CyberProof for less than £200,000 a year. You can multiply 14 people times let's say an average of £60,000, even like a factor of five to 10 times higher if you want to do it yourself, and it's not even a given that you actually can do that yourself.
“So it's just a matter of economics and return of investment. And eventually, I think, everybody will come to that conclusion.”
PR nightmares: Ten of the worst corporate data breaches
LinkedIn, 2012
Hackers sold name and password info for more than 117 million accounts
Target, 2013
The personal and financial information of 110 million customers was exposed
JP Morgan, 2014
One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m
Home Depot, 2014
Hackers stole email and credit card data from more than 50 million customers
Sony, 2014
Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un
Hilton Hotels, 2015
Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data
TalkTalk, 2015
The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen
Tesco, 2016
Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts
Swift, 2016
Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve
Chipotle, 2017
Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang
LinkedIn, 2012
Hackers sold name and password info for more than 117 million accounts
Target, 2013
The personal and financial information of 110 million customers was exposed
JP Morgan, 2014
One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m
Home Depot, 2014
Hackers stole email and credit card data from more than 50 million customers
Sony, 2014
Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un
Hilton Hotels, 2015
Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data
TalkTalk, 2015
The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen
Tesco, 2016
Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts
Swift, 2016
Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve
Chipotle, 2017
Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang