MSI: removing the dangerous distraction of cybersecurity complexity for CISOs

Being a Chief Information Security Officer (CISO) wasn’t easy, even before the pandemic, and COVID-19 certainly hasn’t helped. Fragmented supply chains and complex operating models consume much of the average CISO’s time and attention, causing potentially dangerous distractions from responding to security vulnerabilities and attacks. So what can enterprises do to manage the ever-increasing cybersecurity management burden better?

The CISO’s life is never boring. They are kept busy with securing the migration of workloads to the cloud, the proliferation of Internet of Things (IoT) devices, decentralization of business models, new data privacy regulations, and the ever-increasing number and evolution of cyber threats: the inventiveness, determination and diversity of malicious actors is accelerating.

Cybersecurity has long been a hot topic for the boardroom, driven by high profile security incidents and breaches, which have had a negative impact on company brand image. Businesses have responded by rapidly increasing expenditure on security tools and services over a long period of time. This investment glut, however, has led to the security marketplace becoming saturated with hundreds of security providers addressing point vulnerabilities and security threats.

Consequently, enterprises can end up with a dizzying inventory of security appliances, software and services. For example, one company Orange worked with had an estate of 150 separate commercial agreements covering their cybersecurity estate of 95 separate tools and services. This is neither efficient nor sustainable. Not to mention that this size of cybersecurity inventory carries a big price tag: Gartner reported a total cybersecurity spend of $124 billion in 2019, while other research estimated that cybersecurity accounts for as much as 25% of total IT spend.

In addition, many different cybersecurity assets have overlapping functionality, and there is little cooperation between different security providers. Managing security has become more complex: the job of managing different providers and understanding assorted agreements is extremely time consuming.

We call this situation “dangerous distraction”: spending time managing license agreements, supply chain issues, staff recruitment and retention takes time away from managing security vulnerabilities, regulatory compliance, securing the cloud and IOT and can be ruinous for the brand and agility of the business.

Cybersecurity is even more challenging in a post-COVID-19 world

The pressures and demands the pandemic has added to the world are intensifying the already daunting cybersecurity challenge. Our conversations with customers have led us to believe that a successful cybersecurity strategy in the post-COVID-19 environment will center around three key elements:

1. Resilience: There will inevitably be further shocks, and if anything, cyberattacks will ramp up and target more disparate enterprise operations like large-scale working from home (WFH) more consistently. So it’s vital that security operations teams are able to anticipate, plan for, absorb and rebound from incidents to support the business effectively. Plan for when rather than if you will be attacked.

2. Cost efficiency: The financial impact of the pandemic will almost certainly mean a tightening of budgets, making it imperative to squeeze maximum return on investment. CISOs will also need to be able to demonstrate that the money they spend delivers the required security and business results.

3. Flexibility: How you bounce back post-pandemic remains to be seen, both in terms of speed and shape. Some areas of your business may rebound quickly, while others may take a lot longer. At the same time, new cybersecurity threats will continue to emerge. As such, you’ll need the flexibility to scale safely, add and remove services and implement new working practices as they evolve.

How Multisourcing Service Integration can help

Applying Multisourcing Service Integration (MSI) to cybersecurity provides an opportunity for enterprises to address these challenges effectively.

With MSI, Orange becomes your service integrator for cybersecurity and operationally manages the supply chain, while you continue to retain the commercial relationships with service providers. We both collaborate on optimizing the composition and performance of the supply chain and operating model.

MSI is a way of avoiding the damaging and time-consuming swing between completely insourced and completely outsourced models. It ensures that you retain visibility and control over the supply chain that you might otherwise lose in a completely outsourced model, while dramatically reducing complexity.

The results you can achieve using MSI vary according to the nature and maturity of the company in question, but in our experience, results have been consistently impressive. For one customer, we achieved a 50% reduction in incident impact, and for another we delivered a 25% reduction in overall costs within a particular budget category.

Our MSI expertise has been recognized by industry analysts, including IDC and GlobalData, and by ISG, who recently named Orange as a leader in several MSI competencies, including business value management.

Getting started with MSI

To help you define your MSI journey, we recommend an MSI Discovery Workshop. This one-day virtual workshop assesses key design decisions and the viability of MSI for your cybersecurity and sketches out a flexible implementation roadmap. First steps in this approach could include:

  • Operationally managing a category of security providers, providing a single point of contact, reporting and performance management
  • Setting up and running a tiered sourcing management model across all security operations tools and service providers
  • Reviewing, re-architecting and consolidating the supply chain for the perimeter security services

MSI helps you strengthen your cybersecurity capabilities

Overall, MSI is a compelling approach for CISOs and cybersecurity teams who want to spend much more of their time focusing on proactively securing their organizations from external threats and thereby driving competitive advantage.

By partnering with a cybersecurity MSI specialist like Orange, you have access to “skills as a service,” which lets you rapidly scale up or down the resources you use with no compromise to service levels or security, ensuring your organization’s resilience.

The established relationships Orange has across the security operations world enables the rapid introduction of new services and vendors with the optimum licensing and commercial models, while also retaining high levels of service and security.

And the investments Orange makes in automation, artificial intelligence (AI) and ongoing process improvement helps ensure high levels of productivity, driving cost efficiency relative to an insourced approach.

All told, MSI is a powerful way to strengthen your cybersecurity management capabilities and to avoid a bad case of dangerous distraction for your CISO and your business. They will thank you for it.

To learn more about Multisourcing Service Integration and Orange Cyberdefense capabilities, please visit our MSI focus page.

Graham Ramsden
Graham Ramsden

Graham Ramsden is a Senior Service Integration and Management Architect at Orange Business. He has led the design, implementation and optimization of some of the largest and most complex Multisourcing Service Integration (MSI) projects in the communications services industry and is an expert in operating model design, sourcing negotiation, implementation and troubleshooting. Graham is passionate about the topic of agile transformation of IT Service Management and has written and published a book on the subject. Graham is based in the UK and enjoys travel, good food and good wine.