Click to toggle navigation menu.

The implications for MSPs and MSSPs in CISA’s April 2023 Guidance: “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default”

< BACK

In the constantly evolving cybersecurity arms race landscape, it’s becoming increasingly clear that security has to be embedded into products and services from the outset, not just patched on or dealt with downstream when security vulnerabilities are found and exploited. The United States Cybersecurity and Infrastructure Security Agency (CISA) on April 13, 2023, released the guidance document “Principles and Approaches for Security-by-Design and Default,” which outlines a set of guidelines and security best practices for incorporating security into the development of software and services, so that security is hardened from the outset, with decreased dependence on users to implement, monitor, and maintain security.

In this document, CISA offers a comprehensive set of principles that run the gamut from incorporating security into the design and development phases to testing and monitoring security throughout the product’s lifecycle. This shift in the location and responsibility of security risk envisions a proactive approach to security, ensuring that vulnerabilities are addressed before they can be exploited by attackers, and (to some degree) whether or not users are both able and diligent enough to correctly and continuously implement security best practices.

Managed service providers (MSPs), managed security service providers (MSSPs), and other network solution providers should be especially interested in this proposed shift in the industry as they develop and implement MSP security best practices and provide security services. The starting point and bottom line of the guidance is that software creators are encouraged to take ownership of improving the security outcomes of their customers. 

That’s well and good when, if, and to what extent the aspiration can be made real. But it’s by no means an all-clear for solution providers or their clients to relax their vigilance. MSP vs MSSP is becoming an increasingly blurred line, as clients desire from MSP security services that quickly turn them into MSSPs.  It’s going to be a process, a journey. Here are some implications: 

Historically, security has been less proactive, more reactive

Historically, technology manufacturers have done their best (some more, some less) to send out secure products, but in reality have had to focus on patching vulnerabilities found after the software is in the wild, and customers have deployed the products. This made it necessary for customers or other end users to own most of the risk, and to take mitigation measures at their own expense, and limited by their own expertise. 

CISA’s rational, hopeful solution for decreasing cybersecurity risks

Going forward, CISA hopes for and recommends Secure-by-Design (built into the code) and Secure-by-Default (built into default settings) practices. If this vision can be realized, it will largely free customers and other end users from the highly insecure cycle of waiting for fixes, and applying fixes, only after real-world damage is being done.

Most of the burden of cybersecurity will be moved upstream to manufacturers, if this vision is realized, reducing the chances that customers will suffer from security incidents resulting from misconfigurations, too-slow patching, user error, and other common issues. 

Security from the outset

One of the most significant implications of this document for MSPs and MSSPs is that they can increasingly choose offerings that incorporate security from the outset. 

Continuous monitoring

MSPs and MSSPs will also find themselves in a position to help implement a continuous monitoring approach to security, ensuring that any vulnerabilities or threats are identified and addressed in real time. This includes ongoing vulnerability assessments and penetration testing, as well as the implementation of security controls such as firewalls, intrusion detection and prevention systems, and endpoint protection.

Client education

Removing all risk responsibility from customers and end users isn’t possible, so another key implication of this document is that MSPs and MSSPs (together with manufacturers) need to continually and efficiently educate downstream users in security urgency and efficiency. These can include not only the “locked doors” of effective security measures, but also mitigation of risk in the form of managed service provider insurance. 

This brings up the well-founded industry dialogue quip: 

“Is cyber crime insurance worth it?”

“That depends on if it’s bought before your company is hit.” 

Too many businesses still view security as an unnecessary expense they can skimp on, or something that can be addressed after the fact. However, with the growing threat and the growing stakes involved in cyberattacks and data breaches, it’s essential for businesses to prioritize security from the outset.

What MSPs, MSSPs, and other network solution providers can look for when choosing software

Here are some quick takeaways to get you started. This list is not comprehensive, but is designed to give you some framework for evaluating software. For the fullest view of the recommendations, see the CISA document directly. 

Look for technology in which the manufacturer … 

  1. Does not place responsibility for security solely on the customer. 
  2. Embraces radical transparency and accountability.
  3. Builds organizational structure and leadership to achieve Secure-by-Design and Secure-by-Default.
  4. Convenes routine meetings with company executive leadership to drive the importance of these two design principles.
  5. Operates around the importance of software security to business success. (Customers and other end users will choose companies who implement these two principles in their offerings.) 
  6. Prioritizes the use of memory safe languages wherever possible.
  7. Incorporates architectural features that enable fine-grained memory protection.
  8. Acquires and maintains well-secured software components from trusted sources.
  9. Uses web template frameworks that implement automatic escaping of user input to avoid web attacks such as cross-site scripting.
  10.  Eliminates default passwords.
  11. Implements single sign-on (SSO) technology.
  12. Provides high-quality, secure audit logs to customers at no extra charge.
  13. Prioritizes forward-looking security over backwards compatibility
  14. Takes into account the user experience consequences of security settings.

Conclusion

Some of the takeaways, above, are within the control of MSPs and MSSPs, but many are not. That’s why it’s crucial for MSPs and MSSPs, moving forward, to partner with technology manufacturers who embrace their responsibilities to create software that is Secure-by-Design and Secure-by-Default. 

Although it may be early days in this new direction for security, it’s important for MSPs and MSSPs to be aware of it, to encourage it, and to not make the mistake of neglecting to find partners who embrace it, lest they be left behind in what will rapidly become “yesterday’s” obsolete and highly insecure, uncompetitive technology. 

About the Author:

Doug Kreitzberg– Founder & CEO of SeedPod Cyber

As CEO of USI Affinity and Programs (2004-2018), Doug led affinity business development, marketing and program businesses, including professional liability, commercial property & casualty, personal lines and life and disability Programs. In 2018, Doug founded a cybersecurity and data privacy risk consulting firm. It was through his consulting practice that he learned the value that Managed Service Providers bring to small and medium sized businesses. That insight formed the basis for SeedPod Cyber, a cyber insurance managing general agency Kreitzberg founded in 2021 which partners with Managed Service Providers to provide cyber insurance to their clients.

Thinking