Statistics on the cybersecurity workforce shortage have garnered some headlines recently. One of the most powerful messages comes from the (ISC)2 Global Information Security Workforce Study (GISWS), led by their Center for Cyber Safety and Education. The 2017 GISWS projects that the cybersecurity workforce gap is on pace to hit 1.8 million by 2022.
The same report found that 70% of employers around the world want to increase their cybersecurity staff size by 15% this year. In the healthcare industry, employers plan to expand staff by 20% or more – higher than any other industry surveyed. While these statistics help raise awareness, the problem will still exist without employing effective solutions. As mentioned in the June 2017 Health Care Industry Cybersecurity Task Force report, one such solution for business verticals – particularly healthcare – may be realized through Managed Security Service Providers (MSSPs).
Due to the nature of the data they process and possess, healthcare organizations have a huge target on their backs. Their systems hold a treasure trove of customer and patient information that can be used for identity theft, blackmail or sold on the Dark Web – social security numbers, credit card information, sensitive and personal healthcare information. Of all the 2016 malware attacks on the healthcare industry, 72% were caused by ransomware, according to the Verizon 2017 Data Breach Investigations Report released earlier this year. However, many healthcare organizations simply don’t have the resources to manage the constant threats and vulnerabilities that pose risk to their customers and patients.
A good MSSP can handle most, if not all, of the security tasks in your organization. Whether it’s actively probing internal networks or scouring intelligence reports and external data sources via hunt teams, MSSPs help organizations stay ahead of emerging threat activity. They can also assist organizations in preventing and recovering from ransomware attacks. While healthcare organizations are among those most frequently targeted by ransomware threat actors, many do not have the staff on hand to deal with this threat, especially in the small-to-medium sized business (SMB) market. Without the technical know-how in-house, some SMBs may be tempted to simply pay the ransom to get their files back and hope for the best. However, the FBI warns that 70% of businesses who paid the ransom were attacked again, and paying the ransom doesn’t guarantee your data will be returned.
The ‘security-as-a-service’ concept that an MSSP offers can bring tremendous value to the technical operations side of your business, but what about the human capital aspect – the people part of the equation? That’s where a good MSSP with qualified and experienced staff on hand can add even more value. Faced with the cyber workforce shortage, those same healthcare employers who plan on expanding their teams will face difficulties in attracting and hiring qualified talent. Even if they make a good hire, what about the challenges in retaining cybersecurity professionals? Many organizations without a mature and funded employee retention program run the risk of losing cybersecurity professionals to larger companies that possess deep pockets for perks such as training and certification reimbursement. Unfortunately, many SMB healthcare organizations lack these types of resources. A good MSSP can be more cost-effective than hiring a team to manage your security program.
So, if you are interested in bringing on a service provider, how do you choose? Here are some things to look for when choosing an MSSP:
- Define Your Business Needs. Is there a particular service you need? Do you need someone to help manage your Security Information and Event Management (SIEM) environment – looking through your event logs and making sense out of all that data? Someone to hunt for threats? Protect you from ransomware? Do you need an MSSP to manage your system vulnerabilities? Put together a list of must-haves and desires, and prioritize from there. You may want to start slowly and assign your MSSP to manage only one or two services, then add more responsibility only after they’ve proven themselves worthy of your business. If you don’t know what you need, a good MSSP should be able to perform an initial assessment and give you some recommendations.
- Can the MSSP Attract and Retain Talent? Make sure your MSSP has qualified staff on board plus a proven method of attracting and retaining cybersecurity professionals. According to the 2017 GISWS, paying for training and/or certifications is the number one way to both attract and retain staff.
- Is the MSSP Customer Focused? The MSSP you ultimately choose should be intimately familiar with your business. Does the MSSP have an established healthcare client base and/or employs staff with significant experience in the healthcare field? Currently, there are only a few mega-sized MSSPs that can handle several large customers at once spanning multiple verticals and sizes, and even then, they may be too big to give you that personal, responsive touch.
- Does the MSSP Have Proven Expertise? Be wary of MSSPs that claim they can do it all but can’t back it up with proven past performance. Ask for examples of organizations they have protected. Do they have references they can give you AND do they check out? Note that there are some MSSP clients that cannot give a reference due to non-disclosure agreements, so you may need to do some additional homework. Who’s on their management team? Do they have experience in building security teams and performing the types of services you need?
The search for the right MSSP can be daunting, but if done right, should not be as challenging as finding, onboarding and keeping cybersecurity professionals. For those in the SMB healthcare industry, MSSPs can help you keep pace with the sophisticated and complex nature of attacks, as most providers simply don’t have the resources nor the time to devote to solving the technical and human-capital aspects of this enormous challenge. Choosing the right MSSP can certainly take some of the burden off your plate and allow you to focus on providing quality healthcare services to your patients.
Dan Waddell, CISSP, PMP, senior vice president, Zeneth, was lead author of this peer-reviewed post. Zeneth Technology Partners offers MSSP services to federal and commercial clients.
Originially posted September 20th, 2017 on https://www.infosecurity-magazine.com/blogs/can-mssps-help-address-cyber