R-CISC’s 2018 Managed Security Service Provider (MSSP) Benchmark Survey Reveals Retail Industry CISOs Will Continue to Invest in Services

R-CISC’s 2018 Managed Security Service Provider (MSSP) Benchmark Survey

Reveals Retail Industry CISOs Will Continue to Invest in Services

Increasing Challenges for In-House Talent a Concern


DATE August 21, 2018

Contact: R-CISC Press Office



Washington, D.C.—Organizations of different sizes show differing appetites for subscribing to and

leveraging managed security service provider (MSSP) services. This is one of the key findings of

the MSSP Benchmark Survey, conducted by the Retail Cyber Intelligence Sharing Center (R-CISC).

More than 40 organizations participated in the survey and reported that due to increasing cost concerns

and challenges faced with in-house talent, organizations are looking to outsource security functions to

an MSSP instead of building the capability in house for monitoring events from IT infrastructure logs,

firewalls and Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS). Participating

companies spanned retail channels, including retail, restaurants, hotels, gaming properties,

consumer financial services and consumer packaged goods.


“While retail and hospitality businesses may have similar transaction volumes as some of their

banking counterparts, they typically have smaller information security teams and spend. We

observe that CISOs from our retail clients are finding ways to do more with less, helping their

organizations secure tomorrow’s growth in a world of shifting consumer expectations,” said

Upen Sachdev, principal at Deloitte & Touche LLP.


Many participating organizations indicate that they are likely to increase spend or retain 2018 budgetary

spend for MSSPs in the coming year.


Lauren Dana Rosenblatt, deputy chief information security officer (CISO) for the Estée Lauder

Companies, said, “For CISOs and their teams, benchmarking metrics and information sharing

with retail industry peers provides visibility and useful context to build confidence from a

strategic perspective and situational awareness at a tactical level. Whether our focus is on

strategic planning or assessing our cyber threat programs, sharing information is a critical step

that can help influence how we evolve our abilities to better protect our consumers, employees

and brands.”


Highlights from the R-CISC MSSP Survey report include:

• Next generation CISOs are leading innovation.

      o Respondents are driving in-house focus on orchestration, dark web monitoring, and hunting

      while leaning on MSSPs to block and tackle.

• The most frequently leveraged managed security service is log monitoring with nearly all

respondents currently subscribing.

• Budget and talent are still top problems.

      o 92% of respondents report that the cost of developing and maintaining in-house talent,

      and/or challenges attracting and retaining talent are top reasons for leveraging MSSP services.


“All companies, including retailers, need to constantly adapt to stay ahead of today’s cyber

threats. Benchmarking with other companies plays an important role in enhancing our security

program at Target, supporting our team’s continuous improvement and getting visibility into the

state of the industry. Cyber security shouldn’t be considered a competitive advantage, but a

collaborative effort. Each company’s willingness to actively share information is crucial; the

more we share, the better we become at defending our companies and strengthening the

capabilities of the retail industry,” said Rich Agostino, CISO, Target Corporation.


About the Report

The R-CISC member companies provide expertise for the development of retail benchmarking

programs that meet the need for retail-focused data and demonstrate the impact of security

activities on business revenue. By harnessing input from member contributors and insight from

industry partners, the R-CISC’s goal is to produce a series of focused surveys that inform

member-derived products built to serve as a CISO reference for retail, gaming, restaurants,

hospitality and other consumer-facing businesses. The MSSP Benchmark Survey is first in a

series of surveys built to improve visibility, decision-making and prioritization abilities for CISOs.

R-CISC consulted Deloitte for its experience to develop the MSSP Survey of its members. The


available to R-CISC retail members. A white paper on the report is available to the public. For

information about membership in the R-CISC, please contact Jennifer McGoldrick-Stenberg,

Director of Membership & Operations.

About the Retail Cyber Intelligence Sharing Center (R-CISC), the Retail ISAC

The R-CISC is the trusted cybersecurity community for retailers, consumer products, grocers, hotels,

gaming, restaurants, consumer financial services and cybersecurity industry partners worldwide. The RCISC

supports its member base, representing more than $1 trillion in annual revenue, by serving as the

conduit for collaboration, cooperation, and threat and best-practice sharing. Through building and

sustaining valuable programs, partnerships, products and opportunities, the R-CISC enables its members

to deepen their trust-based relationships, strategic knowledge and tactical capabilities. For more

information on the R-CISC and how to join, visit r-cisc.org. Connect with us on Twitter and LinkedIn.