Cyber for Hire

Today marks the beginning of the Identiverse conference in Las Vegas, where leaders in security gather to discuss advancements in the world of identity and access management. For MSSPs that specialize in managed IAM services, it's important to stay on top of the latest trends, including those revealed in a series of reports and articles that CyberRisk Alliance has published as part of its overall Identiverse pre-show coverage. For starters, CRA's Security Buyer Intelligence Report on IAM looks at the progress organizations have made toward implementing user-friendly IAM, the biggest pain points impeding their IAM journeys, and the tools and solutions that adopters are prioritizing. This session will discuss these and other findings from CRA's coverage.

Obviously, managed security providers want to optimize their rapport with customers. But don't overlook the importance of fostering a mutually beneficial relationship with your cyber solution vendor partners as well. In this segment, we'll look at how MSSPs can best leverage their vendor agreements to ensure they're receiving top-notch, responsive service and gaining access to the most up-to-date solutions and the most flexible pricing plans.

Infosec leaders shouldn't just be reporting to the board room to explain themselves when things go wrong. They should be a regular part of the strategic business discussions that take place inside a company's executive halls. That's true whether they're directly employed by the company or they're a contracted vCISO provided by an external managed services provider. In this segment, we'll discuss how managed service security leaders can land themselves a coveted spot in the board room and assert their influence on future business decisions.

It's understandable why many organizations' cyber investments heavily concentrate on protecting core networks and data centers from breaches and ransomware attacks. But let's not overlook the importance of ensuring that your website remains operational, especially when it directly drives revenue through sales or advertisements. Threats such as DDoS, bots, e-skimmers, malvertising and drive-by downloads continue to plague websites -- so why aren't there more managed service providers offering specialized help in this area?

Risk assessment questionnaires are a standard practice when evaluating current or prospective third-party partners. And yet some folks may justifiably ask: How valuable are these questionnaires if there are no consequences for fudging your answers, or even outright lying? This session will examine common weaknesses and oversights in the third-party assessment process, while recommending how to improve vendor transparency by obtaining key documentation, asking the right questions, and enforcing regulations.

A great many MSSP security professionals are truly passionate about making the digital world a safer place for businesses and their users. But at the end of the day, it is still a business, and good cybersecurity isn't free. And therein lies the strategy around pricing: What pricing models work best for your organization and appeal most to your customer base? And how do you ensure that your pricing policies are fair and transparent? This session will examine the key considerations and best practices around pricing and billing.

What’s the best way to ensure operational resilience against cybercriminals’ tactics, techniques and procedures? Well, just rearrange the letters in TTP, and you get PPT: people, process and technology. This session will examine how organizations can score, benchmark and improve their cyber resilience through a combination of security processes, proper cyber hygiene and employee behavior, and a robust technology infrastructure. To do it right, all three elements need to be in place.

The worst has happened. You failed to protect one or more managed services clients from a cyberattack. Maybe you were even infected yourself. Or perhaps a failed product launch or negative engagement with a customer has resulted in a scathing review. There are lots of ways an MSSP can wind up with a tattered reputation -- and sometimes they're not even fully to blame. And that's why a good incident response and disaster recovery plan means not only getting your IT networks up and operational again; it also means salvaging your reputation and not letting this incident define you. This session will look at strategies for restoring your image after something goes very wrong.

The cyber talent shortage is well documented. Rather than just trying to outbid each other in a competitive job market, wouldn't it be nice if MSSPs were also able to build out their talent pipelines through professional development programs? This session will look at strategies for creating an assembly line of ready-to-go cyber professionals to add to your managed services team, including coordinating with cyber universities and boot camps, and sponsoring apprenticeships, mentorships and internships.

In the last few years, many companies have found that their home offices and their internal on-prem networks are no longer always the central core around which their business operations revolve. Even with more employees returning to the office now, remote and hybrid workforce models are here to stay, thanks to an exponentially increased reliance on cloud-based architecture and services, as well as edge computing practices that allow for the processing of data closer to edge devices. All of which means that critical data and business functions are constantly taking place right at the network's edge -- a perimeter that these days is becoming difficult to define. In this segment we will examine how cybersecurity models must adapt in order to accommodate this recent shift in network dynamics and architecture.

Your favorite intelligence feeds are warning of several up-and-coming new campaigns that are victimizing companies much like your clients. Maybe they're even targeting MSSPs themselves. Now it's up to you to assess and prioritize these latest threats, and determine to what extent they require you to change your approach, institute additional safeguards, or update your security awareness messaging. What's a reasonable response? What's a knee-jerk overreaction? This session will examine how managed services providers and security professionals in general should and shouldn't react to the latest threat intel release. Our guest will also review some of his favorite top trends and incidents from this past year's Verizon Data Breach Investigations Report.

Jugglers! Magicians! Freebies! You can find plenty of commotion and distractions on the show floor at the RSA conference or any major cyber convention for that matter. If you're a managed security services provider trying to sell your wares, it can be a challenge to distinguish yourself amid all the noise and chaos of events like these. This segment will offer tips and recommendations for making your customer impressions more memorable so that you stand out from the rest of the crowd and your marketing message is not lost in the blur. At the same time, we'll also examine what questions savvy MSSP leaders should be and likely will be asking on the show floor as they hunt for the right vendor partner.

Who won the Super Bowl this year? Everyone did, in the sense that there were no major cyberattacks that disrupted the flow of the "Big Game" -- unlike, for instance the Pyeongchang Olympics, where ticket distribution was affected on the night of the Opening Ceremonies. For contracted cybersecurity services providers, protecting a prestigious one-off event like a sports championship or political convention brings major challenges such as building a secure network infrastructure at a temporary location, identifying the unique risks and relevant threat actors associated with each particular event, and combining physical security with digital security. In this session, the former cybersecurity adviser for the 2014 FIFA World Cup and 2014 Winter Olympic Games will examine these and other challenges, while citing best cyber practices associated with large-scale gatherings.

It's a tough call for MSSPs: Be really good at a small subset of services, which potentially limits your customer base? Or become a jack of all trades, but potentially stretch your resources thin and risk the possibility that you won't be able to truly master any of your specializations? This session will hopefully help cyber service providers find a happy medium between these two outcomes, by examining when it's best to stay in your comfort zone and when to broaden your horizons.

Having a clear and cogent taxonomy that classifies your managed cyber services into distinct buckets or categories is an important step for MSSPs looking to define and differentiate their market offerings to clients. Customers can refer to your taxonomy to better understand your scope of services and ensure they don’t leave gaps in their security plans, while you as a service provider can leverage your own taxonomy to assess your portfolio and identify future opportunities for deliverables. Also in the second half of our discussion, we’ll look at some recent results from assessments of managed services companies in various cyber taxonomy categories, exploring what the best performers are doing differently in order to excel.

Creating a zero-trust architecture is a gradual process that starts with understanding precisely what you need to implement a “never trust, always verify” approach within your extended organization. Rather than materializing all at once, organizations often develop a ZTA in phases over time. However, during this maturation process, gaps in zero-trust processes can form – creating potential weak spots. This session will look at some of the most common holes that develop in zero-trust architectures and the steps can be taken to close them.

What are the market trends that are driving growth and changes in the managed security service provider market? MSSPAlert.com, an affiliate of Cyber for Hire, does an annual survey of MSSPs to find out about growth trends, technology providers, different types of incidents they see in their work with small and mid-sized businesses, and other information and insights. In this edition of Cyber for Hire, we’ll talk about some of those trends revealed in the survey. For instance, some of the factors driving growth in the MSSP market today include the global shortage of talent across enterprise, mid-market and small organizations. Hybrid and remote work are another factor that is contributing to demand for MSSPs. Find out more about what’s driving the growth as well as other market trends in and around the MSSP market in this episode of Cyber for Hire.

Segment Resources: Link to subscribe to a newsletter that will alert you of when we open our MSSP 250 Survey for 2023 (second one from the bottom): https://www.msspalert.com/sign-up-for-enewsletter/

Ask Jessica C. Davis, editorial director of MSSPAlert any questions about participating in the research at: [email protected]

ChatGPT and all of its competitors are not just text generators, they are also powerful tools that can be used for good or for evil in the realm of cybersecurity. • What are the implications for MSSPs in the scope of their own services as well as the threat vectors for clients? • What are the applications of generative AI for hackers and threat actors? • What tools are available or in development to help security service providers deal with the escalating quantity and quality of attacks?

Segment Resources: • https://www.darkreading.com/vulnerabilities-threats/generative-ai-changes-everything-we-know-about-cyberattacks • https://www.theregister.com/2023/03/28/chatgpteuropolcrime_report/ • https://www.msspalert.com/cybersecurity-services-and-products/ai/microsoft-debuts-ai-chatbot-for-cybersecurity-defenders/

Now in its eighth iteration, the Center for Internet Security's Critical Security Controls (CIS Controls) framework provides organizations with 18 categories of high-priority best practices that they can follow in order to improve their cyber hygiene, while remaining in step with key regulations. In this segment, we'll look at what MSSPs and their client base need to know if they opt to follow CIS' guidelines vs. other competing frameworks. What are the biggest barriers to successful implementation? What are the biggest benefits? Which best practices are managed services providers best equipped to conduct, and where might they need some assistance?

This segment is sponsored by Liongard. Visit https://msspalert.com/liongard to learn more about them!

It's a tough call for MSSPs to make, but sometimes when a client relationship isn't working out, it may be time to cut your losses. Perhaps the customer isn't honoring its commitments to security hygiene; or maybe you're at odds over strategy; or it could be that they are a drain on your resources. This session will examine when to know it's the right time to go separate ways -- and what's the most professional and responsible way to end your relationship.