Risk assessment questionnaires are a standard practice when evaluating current or prospective third-party partners. And yet some folks may justifiably ask: How valuable are these questionnaires if there are no consequences for fudging your answers, or even outright lying? This session will examine common weaknesses and oversights in the third-party assessment process, while recommending how to improve vendor transparency by obtaining key documentation, asking the right questions, and enforcing regulations.
A great many MSSP security professionals are truly passionate about making the digital world a safer place for businesses and their users. But at the end of the day, it is still a business, and good cybersecurity isn't free. And therein lies the strategy around pricing: What pricing models work best for your organization and appeal most to your customer base? And how do you ensure that your pricing policies are fair and transparent? This session will examine the key considerations and best practices around pricing and billing.
Show Notes: https://securityweekly.com/cfh21
[00:00:00] Removing the BS from third-party assessments and pricing practices that fit the bill. That in the latest news and trends in the managed security space coming right up, on Cyber For Hire. Building bridges between managed security providers and their clients,
[00:00:17] it's the podcast where MSPs, VC-Sos and end users take a United stand against Cyber Crime. This is Cyber For Hire. Struggling to monitor the growing threat landscape, pressure to reduce costs, security skill gaps, facing compliance issues, these issues can translate to operational financial, regulatory
[00:00:40] and reputational risks to your business. Checkpoint can help. Checkpoint combines an MSSP Enablement Program, Cloud Delivered Multitennet Management, SOC platform and Superior Threat Intelligence capabilities to give MSSP the confidence to grow profitably out of reduced risk. Checkpoint is 100% channel driven. We partner to deliver the best security everywhere.
[00:01:06] Visit MSSP Alert.com slash checkpoint. All right, welcome friends to episode number 21 of Cyber For Hire. How's everybody doing today? I'm Bradley Barth with SC Media in New York, and joining me today 13 times Zones away in Seoul, South Korea is my co-host and partner in
[00:01:28] Cyber Crime, Ryan Morris, Principal Consultant with Morris Management Partners. Ryan, we were originally scheduled to tape this a different day but then something pretty interesting happened when you were in nearby Tokyo, Japan, in earthquake. And I know that caused a little bit of interference with our show.
[00:01:49] First of all, did you sleep through the earthquake? I think it happened early in the morning. Did you know what was happening when it happened? Tell us your earthquake experience. You know, I would have absolutely slept through the process except for the presence and
[00:02:06] very effective implementation of Japan's early warning earthquake system. Every single device in the entire country television cell phones smartwatch anything that's connected to the internet or a public broadcasting resource makes an unbelievably
[00:02:25] loud and annoying noise right before there's about to be an earthquake. So we were actually staying, I think about seven or eight miles away from where the the epicenter was. So we basically got the notice at exactly the time that we started to feel the shaking and
[00:02:46] the best way to describe it is it kind of felt exactly like writing on the subway train in Tokyo, you know, a little bit of wobbling back and forth but nothing that would knock you off your feet.
[00:02:58] So I was I was a woken, panicked freaked out, not that bad and then it was absolutely impossible to go back to sleep after that. So you know, it was an earthquake? Interesting. I didn't know that there was all that preparation, all those warning systems
[00:03:18] involved, always good to be prepared like that always a good lesson for cyber security. I remember one rare earthquake that I lived through where I was yelling at everybody in the house that an
[00:03:30] earthquake is happening and somehow they were just all ignoring me and going through with their conversations and then they apparently just thought I was joking or something but meanwhile all the glasses were clinkling and I'm like, does nobody take me seriously? Does no one listen to me?
[00:03:43] But anyway, that's my little earthquake story. Very interesting Ryan but we got to keep moving so plenty to discuss today as always but some news just can't wait which is why we want to share with everyone
[00:03:54] what's top of mine today. So here's your headline. Industrial security firm Duregos recently reported and attempted extortion scheme in which adversaries access the company's SharePoint Service and contract management system but failed to breach its network or cybersecurity platform.
[00:04:12] According to Duregos the malicious actors gained access by compromising the email address of a new sales employee before they even started the job and then impersonated that employee during the employment onboarding process which is conducted through the A for mentioned SharePoint
[00:04:29] Service and Contract Management System. Duregos credits its layer security controls including its sim system and contracted incident response and MDR services preventing an actual ransomware deployment also noting that it did not engage with the extortionists even as they threatened to
[00:04:45] publish information that they had accessed and menacingly referenced company's executives family members. So Duregos said it revealed the details behind this largely mitigated attack in order to destigmatize security events so lots of interesting nuggets here to pound-song Ryan why is this
[00:05:03] mine for you? I think the first thing that I thought of when this story came across was just how much incredibly detailed information is stored in almost easily accessible locations around everybody's network. Right, if you think about the description that we're given here that this was a largely
[00:05:26] mitigated attack specifically because of the layered approach to security that they've deployed you can get through one tier, you won't get through the next tier, you'll only be able to act that's certain amount of information. There's an all or nothing mentality I think in the media
[00:05:45] especially but also in kind of the layperson approach to cybersecurity these days either you are breached or you are not breached it tends to be the way I'm thinking and describing these kinds of things
[00:05:59] but what this company has experienced is that you don't need to be all the way breached in order to lose important data in order for company secrets or otherwise very valuable information to be accessed and then misappropriated by the people who are doing the bad guy approach.
[00:06:21] That to me I think is a very sobering reminder for all of us in the security business. You don't have to be all the way compromised in order to lose a lot of value but I also appreciate their
[00:06:40] disclosure and their approach to de-stigmatizing. We've said it before on this program and many of our guests and the people, the practitioners who do this every single day they remind us this is not
[00:06:54] a question of if you will be breached it is a question of when your organization will be breached and how you react, how you respond and how you move forward. In this case hey they were breached
[00:07:08] they disclosed they did not give into the bad guys and they are able to move on in my estimation that increases their credibility, not decreases their credibility which is what everybody fears
[00:07:22] when we talk about you know should we or shouldn't we disclose a breach that happens in our organization. So kudos to these guys I think they handled it effectively but boy it does remind us
[00:07:34] that nobody needs to actually get all the way into the inner sanctum to get valuable information. So let's revisit the layers and make sure we know what is stored where in all of our network
[00:07:50] environment. And just to quickly follow up Ryan any thoughts also on the interesting attack vector here on the part of the adversary going after an employee who hadn't even really technically started with the company yet and somehow whether they whether they managed to target this
[00:08:10] individual knowingly that they were associated with the company whether it happened to be a happy opportunity a crime of opportunity for them but basically gaining access to to drag us through somebody who was just going through the onboarding process. Yeah that's a great point because one of the
[00:08:29] lessons we've relearn in this environment is just how creative the bad guys are. This is something that I think is surprisingly clever and almost me almost guaranteed to be effective in very many environments right this happens to be an organization that lives and breathed this kind
[00:08:50] of security protocol so when they were breached they were able to identify and to mitigate but imagine a scenario where somebody who has not yet begun does working with your organization does not know what the onboarding process will be gets their credentials compromised before they even
[00:09:14] know that they were going to have credentials. That is a weak spot in our information systems that I haven't heard of that exposure or that that exploit before but that just reminds us hey
[00:09:29] if you have a system it's going to be targeted and it's going to be vulnerable so we have to always be thinking as creatively as the bad guys are. All right Ryan very good sound advice as always
[00:09:44] and we want to hear from you about this or anything else that we covered in the show so please write to us at cyber for hire at cyberriscaliance.com anyway that's going to be our top
[00:09:53] of mine hot take for the day but now it's time for our featured info-sex security strategy topic of the week presenting our big idea in security removing the BS from third party assessments.
[00:10:09] Now for this we actually had an interview with a guest that we recorded separately a few days ago due to some scheduling conflicts so we're going to throw to that interview shortly and that's
[00:10:22] going to take us to the end of the first half of the episode but then Ryan and I will be rejoining you with a very start of part two and so with that we'll see you shortly and we're going to throw
[00:10:32] it to the interview. Risk assessment questionnaires are a standard practice when evaluating current or prospective third party partners and yet some folks may justify ably ask how valuable are these questionnaires if there are no consequences for fudging your answers or even outright lying.
[00:10:49] This session will examine common weaknesses and over-sights in the third party assessment process while recommending how to improve vendor transparency by obtaining key documentation, asking the right questions and enforcing regulations. To discuss this further we'd like to welcome
[00:11:07] in one of my favorite people in cyber security someone who taught me a lot about the industry when I first started covering it as a writer, America K.O. Executive Security Advisor and V.C. so at double shot security which provides corporate governance and executive strategies to secure
[00:11:24] global organizations in prior roles, America held positions as C.S.O. at Unifore, CTO of Farseight Security and C.S.O. for internet identity. She instigated and led the first security initiative for Cisco systems back in the mid-1990s and she authored the first Cisco book on security,
[00:11:44] designing network security. America thanks so much for joining us always glad when we get a chance to talk and as always we're going to jump right into things so first question for you,
[00:11:55] why is it your contention that there is a lot of BS in the third party risk assessment process? What's fundamentally wrong with how it's typically done? Thanks Brad, very happy to be here and I think this is a definitely very important topic to
[00:12:12] discuss currently many third party risk assessments are still performed by answering a lot of questionnaires which are mostly based on yes and no answers. Would support the security controls and posture that an organization has? One very popular questionnaire that many organization use
[00:12:32] is the one from the cloud security alliance which is called the consensus assessment initiative questionnaire or known as the cake and the cake is a questionnaire that covers over 200 questions to describe the security posture of what security controls exist and they're mostly meant to
[00:12:51] to pertain to cloud-based services. The problem is that many vendors will just say yes to many of the areas even if they only have a security control for perhaps 10% of their environment. So you
[00:13:05] really have no real context as to what their actual security posture is and then there's also the compliance certifications which give you some more better feel for an organizational security posture and if you do meet compliance mandates then you know that the organization has been quite
[00:13:28] a bit of time on their security posture but I've seen many environments where some security controls are misprotrade and if the auditors are still new and are still learning companies may have security certification compliance but really not be as secure as as a certification would attest to.
[00:13:51] So I see a lot of room and improvement in terms of how we actually do useful and informative and transparent third party risk assessments. All right so there's a couple of ways that perhaps we can alleviate some of the problems around
[00:14:12] the answers that these third party vendors are giving. I want to start with the more straightforward approach which is the questions themselves. So our organizations or the you know the MSSPs and the VCs those conducting these assessments along with the auditor on behalf of these organizations
[00:14:34] are they asking the right questions in the first place going off of some of these more standard questionnaires should their questions maybe be more pointed, more detailed, leaving less room for vagueness and furthermore should they require the vendor to back up their attestations
[00:14:54] with some kind of evidence or demonstration? Yeah there's there's a lot here and there's definitely a lot of room for improvement. I think that one of the most fundamental aspects before you even start with any questions or trying to figure out what kind of context you need.
[00:15:16] I think that any organization needs to have a full understanding of whether or not they've had useful classification systems and handling procedures and processes for their corporate assets. So you know any third party vendor that you're going to be utilizing you need to know whether
[00:15:41] it is public or insensitive data that they're going to have access to. Or is it more restrictive and extremely sensitive data that if it is breached or compromised would cause the organization to be either non-operational and business with Cs or in my creative material event?
[00:16:00] So obviously the more sensitive the data, the more due diligence you would have to perform. So while we do have to have trust in this compliance certification process, you know at least there's there's some semblance of understanding that they have spent resources
[00:16:18] and time on their security posture. But I think that the questionnaire aspect really needs a whole reset. I think having vendors fill out hundreds of questionnaires with yes-no answers is honestly just a complete waste of time. But I do think that there are some valuable questionnaires,
[00:16:39] but they absolutely need to be more context driven than generic where right now we're using kind of the one-size-fits-all for many environments. However there's also the issue of a third-party vendor not wanting to give away some of their weaknesses which could be exploited by someone.
[00:17:00] So which questions are appropriate what kind of added context is needed? I think is a value ad that MSSPs can add to an organization's third-party risk management because they can help the organization craft more context specific questions along with helping define what evidence is
[00:17:22] needed to have an organization make more informed risk decisions regarding a specific third-party all right so what kind of documentation might be available to review to then help supplement the questionnaires which just by themselves you're saying is insufficient. So what can we do
[00:17:46] to you know basically provide more of that context that you're looking for? I know for example you had mentioned to me in a brief preliminary conversation that we had America that soccer ports may be a really good source to get a better idea of a third-party partners
[00:18:07] capabilities. I also might ask you you know what about the idea of things like physical inspections or vulnerability scanning of certain vendors is that ever on the table as an option I know sometimes they can be a little bit reluctant for something like that so what about some
[00:18:23] of those options that I just presented to you? Absolutely thank you and I think I do want to stress that some of these more stringent risk assessments really pertain to any third-party vendor
[00:18:37] that has access to any real sensitive data right in your environment you would not be that stringent when you have insensitive data that a third-party has access to but it is true that many
[00:18:52] organizations ask for a third-party vendor sock to report. The sock to was designed by the American Institute of CPAs and defines the criteria for managing customer data based on five trust service principles security availability processing integrity confidentiality and privacy.
[00:19:15] And so these reports are very useful for an organization that goes through the sock to process because it gives a good feel for how effective you are within your controls tools and processes.
[00:19:29] However if you give the sock to reports away let's say that you're the third-party vendor to an organization it also contains information regarding weaknesses that could be exploited.
[00:19:43] So I have usually been on the mindset that I would not give out a sock to report so if I'm asking another vendor you know to attest that they have good controls in place I would typically ask for at
[00:19:59] least the sock three report right because I don't want them to put themselves a more risk of me having to see where their weaknesses are. However I do want to know their weaknesses right so this really raises a very interesting conflict as the organization assessing a third-party vendor
[00:20:19] you want to have as much detail as possible but if you are a third-party vendor to someone else you do not want to expose all of your weaknesses so how do we actually have a reasonable balance?
[00:20:32] I mean this is a question and I think this is something that the industry overall needs to mature on and there are of course also a third-party vendor reports based on companies that do external scanning
[00:20:47] and these may have a place yet they often also have a lot of false positives which again does not really give you an accurate answer. So in recent roles I've had to spend hours dissecting reports
[00:21:01] and found it extremely inefficient. These are the reports done by third-party vendors that do scanning to try and ascertain an organization security posture. So for myself what I have usually done
[00:21:17] is just get on a call with the heads of security and assess how mature they are with their program and of course if you have thousands of third-party vendors that's going to be a little bit
[00:21:28] difficult but you do want to see where the data or your organization can be at most risk because of the sensitivity of the data that these third-party vendors have access to and sometimes a
[00:21:42] 30 minute phone call with the heads of security is pretty good to assess how mature they are with their program because we have to remember that no program is perfect and there will always be
[00:21:57] a maturity that all organizations have to reach but you at least want to assess that your third-party vendor is spending money and power and sorry of money and resources on their security program. Yes certainly sometimes just right getting on the phone with somebody and talking to them
[00:22:19] directly can be the most efficient way of getting some of the answers that you're looking for. So certainly that's always advisable to do would not just leave it up to a simple standard of carbon copy form. Something else America that you had mentioned to me in our previous
[00:22:41] conversation that I thought was really interesting was almost the idea that even with some of these enhancements and best practices for doing some of these questionnaires that that process is still going to be imperfect and you're not really necessarily going to capture all the information
[00:23:05] you're looking for so you are suggesting that you might even want to just take the posture of assuming that there are going to be some security lapses in some spots and therefore you're more interested in finding out how robust they are in terms of their capabilities in incident
[00:23:25] response because eventually something may happen. So I would be curious what is your reason for placing such a high emphasis on incident response? Explain a little bit more about why that's your philosophy that that to you was actually maybe the most important area to learn about your third
[00:23:41] party partners. Absolutely Brad, you know over the last five to ten years I have really stressed incident response in either organizations that I've been a part of or the ones that I have been advising because with today's threat landscape no matter how good your security processes and
[00:24:01] procedures or how much money you're spending putting in effective controls for nation state or organized crime attacks if your organization is a focused target then eventually there will be vulnerability that gets exploited or credential that gets stolen or some other means that a threat
[00:24:22] actor will be successful in their attack and so if I assume that at some point my organization may be a target then my entire supply chain will also potentially be a target and so I really care about how
[00:24:40] effective is their incident response in terms of processes and really overall how the organization handles incident and again this is especially true if there are sensitive data that is being handled
[00:24:55] by a third party and there is a high likelihood that they will be a target to instantiate either an intellectual property exploitation or ransomware against the organization that I work for and so some of the areas that I specifically look at is what was the most impactful incident
[00:25:17] that the third party vendor has had in the last year and how did they handle it and again this is somewhat sensitive to them as well and so even when you're having a phone call right you
[00:25:28] want to make sure that you have the right people on the call and not too many people either you're just trying to assess how they handle any kind of critical incident and also I would like to
[00:25:42] know whether or not they have 24-7 sock coverage and is it an internal team or outsourced and of outsourced how many staff members internal to the organization work with the sock during a high severity incident and this is especially true with some startups I mean there's some
[00:26:01] excellent startups out there that are really helping increase the agility and effectiveness of some services and processes but being a startup right they may not have the security team in place and outsource but everyone knows that or you should know that if you're outsourcing that doesn't
[00:26:23] mean that the liability and all the processes and all the procedures are just within the sock right you have to have some internal resources that then work with the 24-7 sock. So to me it's
[00:26:38] important that an organization does have the processes the people in place people know who's in charge of incident handling and who has a party to do what because if in a short conversation I asked
[00:26:54] some of these questions and there's immediate answers from the heads of security I personally feel pretty pretty comfortable that at least they have pretty good processes in place. I really appreciate the fact that you are able to give some examples of some questions
[00:27:15] around incident response that you can ask your clients third party vendors both a few sensitive questions but important ones like how did you manage your last IR incident which I think really obviously can provide some great insight but also someone that they should feel you know more comfortable
[00:27:36] answering like having the 24-7 support because I think it I was going to ask you you know maybe what are you know some of your your top recommendations for things to ask so that was great.
[00:27:48] I do really want to I want to make sure to also ask you I hinted a little bit earlier about you know legal liability the yes just basically I wanted to ask you around legal liability changes
[00:28:04] and increasing global regulations and how this could potentially affect the third party risk assessment process you know I know you talked a little bit earlier about compliance obviously and looking to see how compliant an organization is to the various regulations that are out there is
[00:28:27] is one way to be able to assess their capabilities but of course as we know compliance doesn't mean fully secure so I would be curious based on the current legal landscape regulatory landscape
[00:28:40] how was that shaping the way third party risk assessment can be done how can you use that to your advantage. Again this is a very interesting topic surrounding just security maturity overall unfortunately with so many threat actors at play and you know many organizations who may not really
[00:29:04] have you know they're trying to to meet compliance mandates and that is really their guideline for their security posture rather than looking more at a foundational security program and I think we see with all of these breaches were credentials get stolen I mean millions of credentials
[00:29:26] and or all these successful ransomware attacks that really we need to look at what are some of the root concerns and issues so a lot of governments are looking at creating more stringent
[00:29:39] regulatory requirements and one of these also has been around incident reporting and I I'm not sure that I can really say that this is going to improve third party risk management overall but I think
[00:29:56] that this is an area that certainly organizational leadership will look at more profusely or with more seriousness because in some of these new laws that are coming out or regulations it's actually
[00:30:15] the CEO or possibly even the board that will be held accountable if it is deemed that they have been negligible and so I think there's going to be much more focus on what is the risks that a company
[00:30:32] has from a digital environment situation and then how do we actually make sure that we have the information we need to do an appropriate risk assessment so I think we're just starting to really
[00:30:50] look at how do we do better risk assessments for third party vendors there's a lot of discussion around this and and CSO circles and other circles I just recently was made aware of some insurance companies that they actually have their own scanning capabilities and this was quite
[00:31:12] interesting to me because they will actually help an organization themselves as they're getting insurance from this company they will help scan the organization and work with the organization to then detect any kind of vulnerabilities that really should be that they should pay attention to
[00:31:34] to remediate and I don't know how much this will then be leveraged to also be utilized with any third party vendors but I think it's a very interesting idea to have insurance vendors also help the
[00:31:49] organization to to to address and identify any critical covalent abilities and this might even then extend to third party vendors all right well America I appreciate you answering my questionnaire that I have for you today basically answering my interview questions we have about three minutes left so
[00:32:14] with that remaining time I want to move on to a spooky little segment that we like to call what scares you the cybersecurity world as we all know is full of chicken little's out there constantly warning us
[00:32:28] the sky is falling when in reality some threats are overexaggerated but then there are times when the danger is very real so let's all gather around the campfire you and me America and here from
[00:32:40] you on what keeps you up at night what gets your spidey senses tingling and so America I ask you what scares you the thing that I'm always most afraid of is that somebody is is actually lying to me
[00:32:57] right or they're not telling you the truth because if I'm in a security leadership role and if I need to make certain risk decisions if I don't have the accurate and complete information
[00:33:12] then I cannot make an informed risk decision and sadly I find that within the the whole realm of cybersecurity we have we have a lot of issues that still need to be addressed one of them is the
[00:33:29] legal liability aspects because often if you're transparent in terms of your actual maturity and maybe some weaknesses then that will cause a regulatory liability issue right but it's it's really difficult to try and figure out well when are you actually doing the best you can maturing over time
[00:33:54] versus trying to pretend that you know you've got everything under control and you really where you need to be and one of the things that I want to call out is an initiative that has recently
[00:34:05] been been made public we had an RSA talk about it which is the data centric cyber maturity framework and why yet another framework right because really at the center of what you're trying to protect
[00:34:23] is the data and with this particular maturity model the hope is also that it will be much better and much more informed articulation of how you're actually maturing your cybersecurity
[00:34:40] but with this data centric focus and so I do think that there's still a lot of work to be done from many angles the policy perspective the regulatory perspective the legal liability perspective
[00:34:54] because we have to get to a place where there can be more transparency in terms of what your actual security posture is and especially if you're trying to hire third party vendors that have access to very sensitive corporate information but how you then portray that transparency
[00:35:19] right it's something that you can't just have in a report and you know send around in clear text email right with some people do with sock two reports which I just that scares me to no
[00:35:32] end as well but you know we really have to work on how do we get much better transparency and how do we also make sure that the people that need to know get the information
[00:35:46] yeah transparency always of course very key and of course so is trust but if you're being lied to it's it's hard to trust so I don't know 30 seconds or less 30 seconds or less solve this trust
[00:35:58] problem for us I wait what's what's the what's the solution for gaining better trust with your ego system of partners what's the best what's the best way to establish trust I wish the
[00:36:09] media would not over-hype issues right I mean and you know cyber crime is crime and so what I find is that so many so many other people on social media or the media always make the victim
[00:36:29] you know be the problem and and so people are afraid to also be transparent so I think it's much better if we try to at least be supportive right of individuals or organizations that have
[00:36:44] had issues and are trying their best to fix things and really work more as a team rather than kind of going the hey we're better than you or whatever have you but let's do it as a team amongst
[00:36:57] cross collaboration and please let's stop hyping you know these these security issues I mean yes some of them are serious but the over-hyping and and shaming and blaming is I think not
[00:37:13] that effective either understood America well I'm not lying to you when I say that you did a fantastic job today with this interview and that I'm very happy that you were able to join us and I'm sure
[00:37:26] we'll have you again sometime soon in one forum or another that's going to wrap up our first half of the show please return for the second half of our episode featuring our big idea in business
[00:37:36] pricing practices that fit the bill that in more coming right up so we'll see you in a moment on the other side all right welcome back to cyber for hire the managed security podcast once again I'm
[00:37:54] Bradley Barth with SC media and the first half of our show we talked with America KO at double shot security about removing the BS from the third party risk assessment process but right now I'd
[00:38:04] like to welcome back my co-host Ryan Morris from Morris Management Partners because it's time for us to examine our MSSP industry and market strategy topic of the week presenting our big idea in business pricing practices that fit the bill a great many MSSP security professionals are truly
[00:38:23] passionate about making the digital world a safer place for businesses and their users but at the end of the day it is still a business and good cybersecurity isn't free and they're in lies the strategy around pricing what pricing models work best for your organization
[00:38:38] and appeal most to your customer base and how do you ensure that your pricing policies are fair and transparent this session will examine the key considerations and best practices around pricing and billing so Ryan as always we're going to jump right into it there are a number of
[00:38:52] models for pricing and I would love to start by maybe giving a little bit of compare and contrast on some of these in your opinion you can go per device you can go per user you can go with a flat fee
[00:39:08] you can go with a per function scheme where you charge for each essentially corporate department using your your services what what are some of the pluses and minuses for all of those different pricing approaches that you can take you know it's a great question because this is surprisingly
[00:39:31] quite an emotional topic around the industry there are very many managed service providers who are convinced that in order to be a managed service provider everything we do must be included in a flat fee all inclusive everything you can eat one price pricing model now I understand the
[00:39:52] fundamental concept of predictability and consistency in pricing but I don't think that it's fair to impose the concept of one size fits all for every engagement, every customer, every scenario that we might encounter now as you mentioned there are a number of different schemes for pricing
[00:40:14] that are prevalent across the industry there's the question of per device which in the beginning of the managed services space in the early days of managed cybersecurity that was probably the most clean most defendable most explainable version of pricing you have this many servers you have
[00:40:35] this many switches you have this many work stations and laptops etc this is the price per device these are the number of devices a times b equals your monthly fee now that started to get strained when we
[00:40:51] got into the world multiple end user devices and multiple use cases for in office and mobile workers and other kinds of remote technologies it started to get still complicated with so many iterations that it lost that luxury of being very explainable to the customer and it especially
[00:41:14] fell apart when we started to incorporate any device beyond the classic wind-tell infrastructure and end user stack right when we started to look at operational technologies especially iot sensor-based devices the quantities can go to the stratosphere pretty quickly and trying to figure
[00:41:37] out a scheme that would allow you to identify and charge per device without having astronomical levels of calculation it kind of forced people into a posture of saying well in order to protect that sensor-based device over there i'm only going to charge you pennies per month
[00:41:58] at which point the customer rightly asked the question wait a minute if it only costs pennies per device what am I actually getting for that i think as a result that per device per unit under
[00:42:11] management has really aged out in the marketplace we still see some simplified environments where covering things beyond the wind-tell stack that we do actually still see in the research some people using it but I find that it's less and less attractive to the end user right
[00:42:32] if you look at other schemes that that are popular out there per user or per business function i think that we can learn some things from just the architecture of cybersecurity right if you think
[00:42:47] about the way that we design our services rather than having just a perimeter based approach to cybersecurity or only a layered approach across the stack of technology we find that there's an evolution towards the data-centric management and then beyond that even to the human
[00:43:07] centric management of cyber profiles and cyber surfaces that need to be considered i think that's very efficient logic as we start to look at the concept of pricing where we can say irrespective of the pieces of technology that might be involved or the the tools that individuals
[00:43:32] might be using we can identify the behavioral characteristics of a person or a role within the organization and we can use that to define both their logical access and authorization profile but at the same time how complex and therefore how costly it is to protect that individual
[00:43:56] when we go beyond the human or the role and into the data-centric kind of logic i think we find ourselves in an even more interesting calculation we're not here to protect just the devices
[00:44:10] or the environment but to preserve the principle asset which is the information that we're talking about that is a little bit more complex to calculate but i still think it's a move in the right
[00:44:25] direction and and that speaks to the reason why we're having this conversation to begin with none of these answers are easy and there is not one single version of a pricing calculation that applies
[00:44:39] to every customer to every service provider or to every security engagement all right now let's look at this another way you might be of managed security services provider that offers really a wide spectrum of different types of services and offerings so another question can be do we go
[00:45:02] all a cart with our pricing model do we bundle things together do we do some kind of a tiered system of services and so again i'm wondering if we look at it in that way what's your philosophy
[00:45:15] they're Ryan you know my philosophy is evolved over the years in the beginning i did like the idea we are here to be the the the resource to improve your cybersecurity posture therefore
[00:45:30] anything that we do to improve means that that ought to be included and it was hard to draw a line between firewalls and anti-virus and network access control and some of the other
[00:45:45] technological definitions and so we we started to say you know let's just make you as secure as possible and it costs a certain fee there had to be some sizing and some scoping calculation in there
[00:45:59] but the functional service we provided was everything included i've evolved on that concept based on seeing a lot of the research and then engaging with individuals many service providers who have indicated that that really causes some expectation problems in the relationship
[00:46:21] and it also causes some scope creep problems right the first problem that i that i mentioned there they the expectations imagine that you are the client and i've said to you i have an all-inclusive
[00:46:36] everything is is covered approach to cybersecurity we will count the number of users in your environment and then everything we do in the environment is going to be included in a single price okay but what exactly is everything right your version of everything might include all of those
[00:46:57] i.o.t devices it might include artificial intelligence applications to and machine learning to do pattern recognition and predictive analysis your version of everything might include things that my version of everything doesn't include right if you look at the world of managed cybersecurity
[00:47:19] out there in today's production environment there is nowhere near a consensus of what all the correct technologies tools and protocols are there are as many different scopes of service portfolios as there are service providers so for us to say everything is included that is just
[00:47:46] begging a question back from our customer of well you said everything was included but you didn't do this well we made a strategic decision we made a technological evaluation and we choose not to
[00:48:00] include that in our package well who's version of everything is right the client or the service provider I think that causes far more problems than it solves with simplicity and accuracy for the pricing
[00:48:16] calculation as a result i buy much more the philosophy of either a bundled approach or a cured approach there is a beginning level where we will do fundamentals there is an advanced level where we will cover more of your attack surfaces more of the technological approaches to mitigation
[00:48:40] that that we are applying only in special scenarios and then there is that you know tip of the spirit top of the pyramid level of service where we are going to be providing an extensive level
[00:48:54] of proactive coverage and service that is not necessary or cost justified for every customer. I think the biggest problem that I see with the idea of all inclusive pricing is that it locks out the vast majority of customers who might otherwise be ideal candidates for your service
[00:49:19] which is a really fancy way of saying you're making your target market smaller and you are eliminating a lot of potential paying customers by insisting that even the low-ethan customer must agree to do all of the most high-end and inclusive services. I don't think that's smart
[00:49:41] business and I don't think that that's the right way to approach a customer. Think of it this way in a contract services business comprehensive pricing and increasing the average billable rate per customer environment that's one way to increase the opportunity size to increase
[00:50:04] the revenue for our organization but there's a much more meaningful way to increase our overall revenue and that is to win more customers more rapidly. If we say everything is included and that means
[00:50:22] a lot of people are going to just say you know what I don't need all of that and I'm certainly not comfortable paying that premium price point for absolutely everything included we're going to
[00:50:34] lock out a lot of people and eliminate some other billable relationships otherwise think of it in the context of the pyramid they're going to be layers of customers who pay us a little there's
[00:50:47] going to be a layer of customers who pay us more and then there's going to be a smaller segment of customers who pay us a lot. We'll win more customers we'll have shorter sales cycles
[00:50:59] we will get the customer into a billable relationship much more frequently and much more rapidly which will optimize the top line of our business I think it's better cybersecurity practice to have tears but it is at the very same time better commercial practice to not lock out
[00:51:21] potential customers who would love to pay us for some of our services if not all of our services. There are certainly instances Ryan of MSSPs that charge a premium for certain services but then certain things should really be standard and universal for everybody as part of the overall
[00:51:42] package so I'd be curious to hear from you what in your mind should always be standard for everyone and what's okay to be reserved for just a premium pricing. You know it's uh I'll put an
[00:51:58] address on this conversation and say as of today there's a different version of standard than there was a year ago and a year from now what is standard is going to have expanded as well.
[00:52:11] It's a question of mass market adoption of various advanced technologies the good news is the industry is always releasing new technologies, new capabilities to address problems that we either couldn't address before or that required us to do a certain mix of manual services and tools based
[00:52:33] applications that weren't very efficient right the state of the art continues to advance in our industry that's great that means that what is standard is not going to be consistent. I think right now that everything in the defensive posture everything from the the concept of zero trust down
[00:52:58] through basic blocking and tackling right the fundamentals of of defensive security posture. I think everybody can agree that that is a logical baseline that ought to be included in every tier. I think that the more logical areas for us to have premium or all-acart services are in the
[00:53:22] developing areas of machine learning and artificial intelligence. We're still learning a lot about how to use AI for good while the bad guys are out there trying to use it more and more for evil.
[00:53:36] That's such a rapidly evolving category. We don't understand it well enough ourselves to have defined a standard therefore I really shouldn't be included in a basic package. It should be something that we admit to the customer is rapidly changing. We are not experts all the way yet because
[00:53:59] the technology is just moving ahead at such a radical pace but we will but we will best professional effort. There's legal terminology that will defend us if we try our best even if it doesn't absolutely work perfectly. I think that's a good attribute characteristic for us to use
[00:54:21] for things that might be included in special circumstances. I think that the one area that I would include in standard that a lot of people are not yet including in standard is the concept
[00:54:36] of not just defense and then incident response but the remediation and back to a steady state, right? To have been protected is one thing. To have managed and attack as another thing,
[00:54:54] to get back to a steady state where we are not only not actively being attacked but we know what the exploit was. We've remediated for that and we are back to a place where we can say
[00:55:10] we are presently in a secure state. I think that is something that we really do a disservice to customers if we leave that out of our relationship packages. It's not safe to assume
[00:55:24] the customer will do that work on their own. It is not wise to leave that remediation and recovery work undone. Therefore, I think best practice would indicate we should include that as of today.
[00:55:40] Have high hopes for the year from now. A lot of this AI stuff will be more stable, understandable and professionalized and we can start to incorporate that more and more into
[00:55:53] our basic approaches but as of now it's kind of experimental so let's not include it in a standard package. All right Ryan, we just have a couple of minutes left so final question for you. Pricing transparency, I mean it's so important to be able to communicate things
[00:56:12] clearly and straightforward with your clients. So where do things most often go wrong with pricing transparency? Where are there most often misunderstandings that arise leading to disputes? You know, I think the general statement of the most common source of disputes is
[00:56:35] unfulfilled expectations that were not clearly delineated, described and agreed in contractual language. I think we want to get more engaged with our customers and so we tend to use language in agreements that sounds like well not only will we use this technology and apply our best efforts
[00:56:59] but we will eradicate your vulnerability. We will create the most secure possible environment. You know, in marketing terminology that might be okay but in legal terminology that is just a mind-field of unexplained expectations. It's not something that that we can defend and therefore
[00:57:22] it's going to create the opportunity for disagreement with our customers. I think we need to get comfortable with the concept of the only things included in this service agreement are those that are specifically listed and described here. Anything that is not specifically listed and described here
[00:57:44] is expressly excluded and will not be covered by this service. It feels harsh. It feels almost like an aggressive approach to the customer relationship but I think we need to be that deliberate about the
[00:58:03] way that we enumerate our relationship with our customers. There can be no ambiguity. There cannot be any misunderstanding of not only what technologies are deployed and what services are provided but where is the division of responsibility between the service provider and the client?
[00:58:24] We need to be more and more precise with contract language and add that boundary. That very clear line that says anything before here that was described is included. Anything that is not described
[00:58:38] is not included. The reason that I'm very adamant about that is in our research we've asked a lot of end users about how satisfied they are with the security practices that they've engaged with
[00:58:54] the scope of services, etc. One of the distressing things that we've found is that customers who have not yet been breached or not recently been breached during the scope of this relationship, they tend to report very high levels of satisfaction and they will report very high levels
[00:59:16] of satisfaction even for services that are not included in their agreements. Now you might think that's nice, that's a glow-up kind of an effect of hey they love us so much they're satisfied
[00:59:31] even with the things that we don't do for them. In a marketing sense again that might be nice. In a legal sense, my goodness that's a mind field of potential disasters. So we see that there is
[00:59:48] a lot of assumption that goes on in our industry and it's only when things go wrong that the customer says hey wait a minute I thought you had that covered and then the service provider
[01:00:01] comes back and says it's not included in the contract we weren't doing that well I thought you were well we never said we were and then there's a finger pointing and an assumption of
[01:00:11] blame that cannot be recovered from from a relationship scope perspective. I think we just have to assume that misunderstanding is the enemy of cybersecurity so let's be crystal clear in our definitions and include that language that says very precisely if it is not described in detail
[01:00:35] in this agreement it is not included and let's get customers to sign on the dotted line to acknowledge that fact. All right guys that's what we think about pricing what do you think? What is
[01:00:50] your approach to calculation and the way that you not only determine the cost per customer but the way that you communicate that to your customers and the way that you defend the value of
[01:01:04] your approach to that we'd love to get some more feedback from the audience because this is obviously it's a very keen topic but it is also a very emotional topic so reach out to us at our
[01:01:15] email address cyber fore hire at cyberriscaliance.com you can hit the the show page and follow the links for comments there but let's keep this conversation going in the meantime we would like
[01:01:28] to shift now to the next segment of our program and that is our relationship management segment that we call Dear Cyber for Higher. Now this is our opportunity to mediate to counsel and to hopefully improve the relationships between service providers and their clients in the cyber security
[01:01:50] field. The letter that we're about to share has been stylized to protect all of those who are innocent in this scenario but believe us when we say this is a real situation that we hear from
[01:02:03] providers all the time in the real world and we want to help you figure this out so Bradley set us up what do we need to know about this week's letter. Alright thanks Ryan yep we're back with even more
[01:02:15] juicy MSSP melodrama and this one comes from the provider side of the relationship so fellas you the music. Dear Cyber for Higher if two's company and threes a crowd what's thousands of people
[01:02:30] like impossible keep track of I'm as welcoming as I'm as welcoming as the next person but lately it feels like my partner is treating this place like an endless open house people coming in and out
[01:02:42] half the time I don't know anything about them allow me to elaborate my managed services client very lacks in terms of their processes and policies around new employee onboarding and former employee offboarding and I fear that this lack of workforce identity management may result
[01:03:00] in overly lenient access permissions obsolete credentials that could one day be abused or other security and privacy risks a tidy home is a happy home so how can I get my client partner to clean up their messy personnel problem sincerely overwrought over off putting onboarding and
[01:03:21] offboarding omissions and over sites in Orlando Ryan short of convincing the client to move to a managed I am service or a managed HR service how how do you as an MSSP help a client who
[01:03:34] clearly doesn't have their house in order when it comes to employee onboarding and offboarding. You know it's a great point that you make there right in the question there are categories of technology designed specifically to address this precise problem in the world of business
[01:03:53] technology and cybersecurity and yet the adoption rates for those services identity and access management and managed HR services are still incredibly low right I think this is not only an indication of a gap in technology and service coverage it is an indication more broadly
[01:04:16] of how not good at the human parts of businesses that most businesses actually are right think about it like this small businesses tend to hire new employees very infrequently right think about a business that has 20 or fewer employees in the managed service space a very typical profile
[01:04:42] of a customer or a managed service provider that has certainly you know set of sales people some back office operators certain a big team of engineers and we are managing our client engagements with
[01:04:55] this with this set of human beings how often each year does that organization actually have hire somebody new and bring them on board one employee a year two employees a year if we had a
[01:05:12] particularly bad year with churn and we had three or four people leave we might add three or four back in in the course of 12 months the the best lessons that we can learn in life are around frequency
[01:05:29] and familiarity anything that we do once or twice a year will be very bad right if you extend that logic to just the raw demographics of end user organizations in the world what is 95% of all businesses
[01:05:51] in the United States are classified as small or very small businesses it's only 5% that get into the medium and large size of organizations the vast majority of end user organizations hire occasionally infrequently and in a completely custom made up way each time they've tried to figure it out
[01:06:18] almost all businesses statistically speaking are bad at human resources it's not a surprise in that environment that they would also be bad at documenting their people when they are bringing them on at defining implementing and actually tracking a precise process for bringing people
[01:06:41] and ensuring that security protocols are applied and in managing the access rights for people as they depart the organization most of the time we're all just so busy we got you know multiple
[01:06:55] half-thirsty hairs on fire we're running as fast as we can to keep up with all of our business and when that new employee does show up one day the typical experience for a new employee is
[01:07:08] I'm really busy I don't have time to sit down with you right now there's your desk here's cell phone let's catch up at lunchtime and see how things are going okay that is an environment
[01:07:19] that is desperately ripe for very inefficient access management controls and I think this is one of the this is one of the very popular but least understood areas of security vulnerability all right Ryan well I appreciate your take on that and with that another relationship saved
[01:07:43] so hopefully our listeners have learned from this and don't make the same mistake I remember if you've been struggling with your managed security services relationship whether you're
[01:07:51] the user or the provider we want to hear from you so please write to us at cyber for hire at cyberriscaliance.com and we might use your letter in a future episode all right well it's almost time to wrap things up
[01:08:05] up before we go it's time for us to get a little random as we share with you drumroll please our irrelevant news of the week this is a real news pitch that Ryan or I have received
[01:08:16] an an inboxes for reasons that are entirely inexplicable to us are you ready Ryan I am ready all right well here we go the naval history and heritage command announced the winner of the 2023 New Year's deck log contest winners the tradition of them midnight new year's day po
[01:08:37] on the loud sailors to write the first deck log entry of the new year in verse first place this year went to lieutenant Artem Sherbinin hopefully I got that pronunciation correct of the soon to be decommissioned USS bunker hill and his poem went like this
[01:08:54] as New Year's bells ring out tonight we celebrate our warships might in poetic form we must recall bunker hills life before her 2023 moth ball so Ryan this time actually gave you a
[01:09:10] little bit of a heads up that we'd be doing this so maybe you'd get in that poetic frame of mine because I want us both to similarly recite a poetic New Year's log entry on the topic of cyber security
[01:09:24] so same scenario we're gonna pretend like it just turned 2023 and we had to write a couple of lines of verse to sum up the new year I'm gonna go first with mine and I call it the C-SOS 2023
[01:09:35] lament with every single passing year our cyber threats grow more severe oh how I long for the simpler days of malice of virus and why two k that's that's my little poem and now Ryan I think
[01:09:55] you're gonna kind of improvise a little bit poetry for us see the ex-temporaneous is my style rhyming never ever was and my approach has always been a little bit more literal and a little
[01:10:11] method of literative so I will say that's a really long way to say and man I thought get poetry and yet I use words for a living I gotta say nicely done Bradley on your your C-SOS lament
[01:10:26] I also have to just indicate a little bit of being impressed with the the service members poetry that the fact that that's not the only person who actually writes poetry in the ship's log well that's actually really impressive to consider what they do for their jobs every day
[01:10:47] and then they can still actually write verse I will say I got no poetry anywhere around this topic I'm focused exclusively on I hope we solved this problem and make money in the process so
[01:11:04] I'm just gonna be thematic and stick with that. All right fair fair enough Ryan still whenever you speak it just it just flows out like poetry to me and I'm sure our listeners so I appreciate very much speaking of poetic verse it's time for us to both disperse
[01:11:24] we're out of time let's bid a due until next week episode 22 meanwhile I feel free to check out even more cybersecurity podcasts content on the SC media MSSP alert and channel E to E websites until next time I'm Bradley Barth and I'm Ryan Morris
[01:11:43] thank you very much for all of your insights that you do share with us on the program let's keep that conversation going please reach out to us via our email address or our show page
[01:11:54] and let us know what your insights comments and questions are about anything to do with the business of cybersecurity we'll keep this conversation going on in next episode of cyber for higher your inside source for cyber outsourced