When trying to determine if you need a managed security service provider (MSSP), the first thing cybersecurity professionals need to realize is that they are owners of risk, said Johnathan Nguyen-Duy, Fortinet’s vice president of its field CISO team.

“Whether you’re a large enterprise or small enterprise, a person — whether it’s a CISO, or an IT manager — you own that risk, and it’s your job to manage that risk,” Nguyen-Day said during an episode of CISO Stories podcast. “And whether you do that internally or an in-house solution or whether you partner or some combination of third party, you will always own that risk."

Listen to episode 31 of CISO Stories: Practical Considerations for Managing Your MSSP

When companies look to an MSSP, they have to understand the outcome they're trying to achieve and work backwards.  And that outcome can't be a risk handoff of risk, Nguyen-Day said. Rather, companies need to partner with the MSSP to define gaps and approach, understanding that the MSSP doesn’t own that risk; so you’re going to have to manage them.”

At Fortinet, Nguyen-Duy focuses on strategy, data analytics and helping enterprises with digital transformation for security from the IoT edge, across enterprise networks, to hybrid clouds.