Our newest writer, Paul Ducklin, tells it as he sees it – that we’re all served better when we treat cybersecurity as a value to be maximised, not simply as a cost to be minimised.
In case you’re not familiar with the abbreviation MSSP, it’s a special sort of MSP (which is short for *managed service provider*) who is specifically tasked with looking after your security, thus ending up as as a *Managed Security Service Provider* and necessitating a four-letter acronym.
(At this point, I’ll allow myself a detour to mollify linguistic perfectionists who will understandably insist that MSSP is not strictly a acronym, because it can’t be pronounced as a word in the way than RAM and ROM can, but has to be spelled out letter by letter, thus making it an initialism. Just like TLA, in fact, which is ironically shorthand for *three-letter acronym*, despite not being one itself.)
Seeking out specialist service providers is not a recent trend. Indeed, many people in the English-speaking world have family names that are simply the words for the expert services in which their forebears specialised, such as Cooper (barrels), Fletcher (arrows), Smith (blacksmithing, or metalworking), and Taylor (spelling was flexible in the past; we write *tailor* today).
Throughout the 20th century, once we’d effectively completed the industrial revolution, we became accustomed to entrusting many important but nigglingly difficult tasks in our lives to other people, typically to the point that we no longer actually knew how to do them ourselves, if in fact we ever did.
Indeed, there’s a well-worn joke that probably first appeared back in the late 19th century, when household conveniences such as automatic central heating and piped hot water first became available, that tells the story of a proud homeowner who called in a domestic gas and water piping expert, or plumber for short, to sort out his wayward heating.
The plumber dutifully arrived, carefully inspected the the valves, the radiators, the furnace construction, and (perhaps most importantly of all) the beautifully crafted bronze nameplate riveted to the water heater itself that identified the maker and the model. He then opened his toolbag, selected a hammer from his meticulously arranged collection of shapes and sizes, and struck the heater a sharp blow, just above the nameplate but slightly to the left.
Lo! The system roared back into life, and service was restored.
When presented with a carefully hand-written invoice for $20, the homeowner was aghast! Twenty bucks! For one lousy whack with a hammer? Why, anyone could have done that! That’s hardly worth a dime!
The plumber was deeply apologetic, and offered new fees, obligingly tearing up the offending invoice and writing a replacement (imagine perfectly-formed copperplate script in a deep indigo ink):
Item 1. Striking water heater with hammer, $0.10
Item 2. Knowing where to strike, $19.90
Total due, $20
In the 21st century, many of us still understandably feel a reluctance to pay what is actually a fair price for work that we feel we could have done ourselves, especially when we see how it was done and think that the job looked “easy”. Worse, perhaps, is that even after deciding to call in an expert, because we recognise the huge opportunity cost of doing it ourselves, we can’t resist prairie-dogging the expert, or second-guessing what they’re likely to do and trying to “help” them by doing some of if before they arrive, or demanding that they weave our own ideas of how to do it into the job, no matter how distracting or divisive that turns out to be.
(An *opportunity cost* is the value of everything you could have done instead that would have been directly relevant to your own business, but that you lost out on by getting sucked into side-tasks that you could almost certainly have avoided.)
So, if you would like to get off on the right foot with your MSSP, may I humbly suggest that you:
-> Avoid trying to shave a few dollars off the cost by trying to leave out bits and bobs you think you can do without, or by insisting that you’ll take care of some of the work yourself, and leave your MSSP to fit itself around your tweaks. You’re almost certainly going to end up with a whole that is way more complex than the sum of the parts would otherwise have been, and complexity generally works against cybersecurity, not towards it.
-> If you choose an MSSP that doesn’t let you ply your own security tweaks and hacks, don’t take it as an insult, or as an insinuation that you wouldn’t be capable of doing a perfectly good job on your own. Grab onto it as the very opposite of an opportunity cost, and treat it as an opportunity *value* that will let you give attention to the aspects of cybersecurity that truly are unique to your business, such as how to encourage and educate your users; how to treat your customers and their data; and how to do all your other important IT tasks that otherwise get left until later, which often turns into never.
-> Don’t settle for an MSSP who expects your cybersecurity to be a “black box”, whether they allow you to tweak, hack and fiddle at your end or not. Even a do-it-all-for-you MSSP, who doesn’t let you fly with dual controls (“managing with two consoles” might be a better way of putting it), shouldn’t treat anything that it does as a secret. Search for an MSSP that doesn’t just let you see into the aspects of your cybersecurity that it takes care of, but that routinely and regularly takes the lead and critiques your cybersecurity posture with you, in real-life meetings, not just in printed-off reports.
Remember: cybersecurity serves you and your customers better when you treat it as a value to be maximised, not simply as a cost to be minimised.
PS. If there are any knotty topics you’re keen to see us cover, from malware analysis and exploit explanation all the way to cryptographic correctness and secure coding, please let us know. DM us on social media, or email the writing team directly at firstname.lastname@example.org.
More About Duck
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!