Introducing the security management partner: A specialist for financial services

In this impact brief, Joseph Krull addresses the state of cybersecurity for financial services and introduces the security management partner concept to bring financial industry precision to financial institution security.

General practitioners can provide a basic level of care for the human body, but specialists are normally called in to diagnose and treat more complex issues based on their advanced training, unique talent, and expertise. Managed security services providers frequently operate like general practitioners and provide a range of generic cyber services to multiple industries. But this one-size-fits-all approach to cybersecurity often misdiagnoses issues and risks specific to the financial services industry.

Enter the security management partner, a new approach to cybersecurity based on deep expertise in the types of threats facing financial services organizations. The security management partner is ideally suited to financial services organizations that may not have sufficient cyber expertise on staff, but it can also be enticing for firms that want to augment existing cyber capabilities.

This report provides a high-level overview of the managed service provider (MSP) and managed security services provider (MSSP) market. It also provides two case studies that illustrate how a specialized approach for financial services clients offers unique advantages for managing cyber risk.

Reasons that outsourced cybersecurity can fail

Many organizations have used outsourced cybersecurity services, often with mixed results. There are several factors that can lead to a failed relationship including:

• The cybersecurity services provider staff does not have specific financial services industry knowledge, particularly audit and compliance requirements.
• The supported organization treats the service provider as a vendor rather than a business success partner.
• The organization has unrealistic expectations for the service provider.
• The organization requires the service provider to manage outdated cyber tools and products.
• There may be limited or infrequent coordination with the service provider after the initial “honeymoon” period.
• In smaller organizations, the person responsible for security does not devote sufficient time to nurture the relationship or fully understand the provider’s capabilities.
• The cybersecurity services provider offers complex pricing models that complicate the organization’s cost control measures.  

For these reasons and many others, some financial services organizations had less than favorable outcomes with their first forays into managed security services. However, recent innovations in the managed security services market, particularly the concept of a security management partner, may warrant another look at a service provider relationship.