Cyber for Hire

One of the most significant takeaways of the White House's recently unveiled National Cybersecurity Strategy is the assertion that software developers, OEMs, and technology service providers must bear the brunt of the responsibility -- rather than end-users -- for keeping cyber environments secure. With the looming prospect of further legislation and regulations looming that could impose greater liabilities on software products and services, MSSPs and other cyber services providers must understand where they fit into the overall scheme of things. Are MSSPs an extension of the end-user or are they one of the upstream providers who will be held accountable when cyberattacks occur? In what ways will the burdens on MSSPs be reduced or shifted due to federal efforts around coordinated vulnerability disclosure, SBOM use and other supply chain security strategies? This segment will explore these key issues.

There's a lot that goes into the creation of a managed services contract before the client ever puts their John Hancock on the dotted line. As an MSSP, you want to make sure that expectations, for both sides of the relationship are spelled out clearly and cogently. The language within must address key terms and stipulations related to payments, roles and responsibilities, scope and scale of services, liability, and plenty more. In this segment, we'll discuss some of the most important clauses to include in your MSSP contracts, and how to avoid unfortunate omissions or vagueness that can result in confusion or disputes down the line.

Our guest for this segment spends his days where others dare not tread: the deep dark web. Here he collects information on cybercriminal activity that could be a precursor to major attack or evidence that one has already occurred. For companies that can't or won't conduct dark-web recon for themselves, outsourcing this threat intelligence service is a valuable option. Still, this kind of contracted services relationship works only if the provider keeps its intel reports relevant, customized and timely. This discussion will cover how to make the most out of such an arrangement, as well as real some of the most prevalent threats swirling around the corners of the dark web today.

Every MSSP customer is different in their own way. But they all deserve to remain secure from attacks. And so it's important that managed services providers don't play favorites to the point where certain clients eat up a disproportionate amount of time and resources. MSSPs must ensure that they are fairly and proportionally allocating their account reps, technicians, support specialists, consultants, security analysts, pentesters and a host of other employees across their entire customer base. This segment will examine recommendations on how to better accomplish this objective.

Try as they might to keep their clients in compliance with privacy and security regulations, managed services providers are still at the mercy of the organizations they serve. Unfortunately, companies don't always follow the MSSP's or vCISO's advice on items like responsible data stewardship, privacy policies and breach notification. If an attack does transpire and the company draws the ire of regulators, the security services provider could even end up a scapegoat, or even embroiled in a liability case. This Q&A discussion will look at what resource an MSSP or vCISO service has when their customer fails to make basic compliance a priority.

The consequences of a cyberattack can be devastating, and it does make sense for managed security services providers to impress on their current and prospective clients the risks of not investing in prevention and response. However, many cyber thought leaders believe that certain lines should not be crossed. Advice is one thing; fearmongering is another -- and if you pursue the FUD angle too hard, you may simply come off as a predatory opportunist looking to push your services on the customer. This discussion will reveal how to convey your message and market your services in a way that doesn't exaggerate existing threats and turn off your clients.

Last year, ChannelE2E listed more than 1,000 merger and acquisition deals involving MSPs, MSSPs and other similar service provider organizations. Typically when any M&A deal occurs, there are bound to be redundancies and overlaps in services, tools and personnel. For MSSPs that find themselves in this situation, it's important to consolidate and integrate the best of their assets across multiple entities, while maintaining operational consistency. This is no small task, but this segment will offer examples and tips to help move in the right direction.

MSSP SOC analysts are often barraged with security alerts that pop up as anomalous activity is detected on clients' networks. Not all of these notifications are worth reporting and acting upon, but it takes only one overlooked incident to result in a full-fledged attack on the customer. This segment will look at the perennially challenging question of when it's the right time to let your clients know that something may be amiss, without inundating them with unnecessary reports. Also, we'll examine how automation can help reduce the burden on strained SOC analysts.

Risk isn't a static measurement. Threats like malware campaigns, vulnerabilities, human error and unreliable third-party partners can fluctuate in their severity depending on ever-changing circumstances. That's why knowing which risk is of highest priority at any given time can allow MSSPs to dynamically adjust their prevention and mitigation efforts, for both themselves and their clients. But which sources of risk do you measure, and what factors go into such a calculation? How frequently do you remeasure? And upon learning the latest risk scores, what are sound tactics for prioritization, response and mitigation? This session will explore the big questions surrounding risk quantification and optimization for managed security providers.

Managed services providers know that investments in talent, tools and infrastructure can take a heavy financial toll. But as MSSPs continue to grow and take on more clients, they can hopefully achieve certain economies of scale such that their previous infusions of funds eventually pay for themselves. This session will look at the key investment areas where security providers can get the most bang for their buck as they expand their business and expand their customer base.

It's been a big year for the passwordless movement, with tech giants Apple, Google and Microsoft supporting the FIDO Alliance's efforts to replace conventional credentials with passkey technology. Still, passwords have long been engrained into people's daily routines, so users may need some convincing to change their behaviors. And likewise, managed security services providers may need to persuade their own corporate clients that passwordless is the future. This segment will examine some of the key breakthroughs and remaining challenges surrounding passwordless technologies from an MSSP perspective.

You’re a big fish in a pretty big pond. But there are vast oceans to explore. Do you test the waters or not? For MSSPs who have prospered regionally, there’s a lot to be considered before expanding into new geographical territories, especially international markets. Such as: business culture differences, market preferences, regulatory factors, language barriers, and differences in cyber threat risk factors. This segment will examine these factors as well as the client’s point of view. After all, you need to figure out how to sell to them as a newcomer in a particular market.

Today marks the beginning of the Identiverse conference in Las Vegas, where leaders in security gather to discuss advancements in the world of identity and access management. For MSSPs that specialize in managed IAM services, it's important to stay on top of the latest trends, including those revealed in a series of reports and articles that CyberRisk Alliance has published as part of its overall Identiverse pre-show coverage. For starters, CRA's Security Buyer Intelligence Report on IAM looks at the progress organizations have made toward implementing user-friendly IAM, the biggest pain points impeding their IAM journeys, and the tools and solutions that adopters are prioritizing. This session will discuss these and other findings from CRA's coverage.

Obviously, managed security providers want to optimize their rapport with customers. But don't overlook the importance of fostering a mutually beneficial relationship with your cyber solution vendor partners as well. In this segment, we'll look at how MSSPs can best leverage their vendor agreements to ensure they're receiving top-notch, responsive service and gaining access to the most up-to-date solutions and the most flexible pricing plans.

Infosec leaders shouldn't just be reporting to the board room to explain themselves when things go wrong. They should be a regular part of the strategic business discussions that take place inside a company's executive halls. That's true whether they're directly employed by the company or they're a contracted vCISO provided by an external managed services provider. In this segment, we'll discuss how managed service security leaders can land themselves a coveted spot in the board room and assert their influence on future business decisions.

It's understandable why many organizations' cyber investments heavily concentrate on protecting core networks and data centers from breaches and ransomware attacks. But let's not overlook the importance of ensuring that your website remains operational, especially when it directly drives revenue through sales or advertisements. Threats such as DDoS, bots, e-skimmers, malvertising and drive-by downloads continue to plague websites -- so why aren't there more managed service providers offering specialized help in this area?

Risk assessment questionnaires are a standard practice when evaluating current or prospective third-party partners. And yet some folks may justifiably ask: How valuable are these questionnaires if there are no consequences for fudging your answers, or even outright lying? This session will examine common weaknesses and oversights in the third-party assessment process, while recommending how to improve vendor transparency by obtaining key documentation, asking the right questions, and enforcing regulations.

A great many MSSP security professionals are truly passionate about making the digital world a safer place for businesses and their users. But at the end of the day, it is still a business, and good cybersecurity isn't free. And therein lies the strategy around pricing: What pricing models work best for your organization and appeal most to your customer base? And how do you ensure that your pricing policies are fair and transparent? This session will examine the key considerations and best practices around pricing and billing.

What’s the best way to ensure operational resilience against cybercriminals’ tactics, techniques and procedures? Well, just rearrange the letters in TTP, and you get PPT: people, process and technology. This session will examine how organizations can score, benchmark and improve their cyber resilience through a combination of security processes, proper cyber hygiene and employee behavior, and a robust technology infrastructure. To do it right, all three elements need to be in place.

The worst has happened. You failed to protect one or more managed services clients from a cyberattack. Maybe you were even infected yourself. Or perhaps a failed product launch or negative engagement with a customer has resulted in a scathing review. There are lots of ways an MSSP can wind up with a tattered reputation -- and sometimes they're not even fully to blame. And that's why a good incident response and disaster recovery plan means not only getting your IT networks up and operational again; it also means salvaging your reputation and not letting this incident define you. This session will look at strategies for restoring your image after something goes very wrong.