R-CISC’s 2018 Managed Security Service Provider (MSSP) Benchmark Survey
Reveals Retail Industry CISOs Will Continue to Invest in Services
Increasing Challenges for In-House Talent a Concern
FOR IMMEDIATE RELEASE
DATE August 21, 2018
Contact: R-CISC Press Office
Washington, D.C.—Organizations of different sizes show differing appetites for subscribing to and
leveraging managed security service provider (MSSP) services. This is one of the key findings of
the MSSP Benchmark Survey, conducted by the Retail Cyber Intelligence Sharing Center (R-CISC).
More than 40 organizations participated in the survey and reported that due to increasing cost concerns
and challenges faced with in-house talent, organizations are looking to outsource security functions to
an MSSP instead of building the capability in house for monitoring events from IT infrastructure logs,
firewalls and Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS). Participating
companies spanned retail channels, including retail, restaurants, hotels, gaming properties,
consumer financial services and consumer packaged goods.
“While retail and hospitality businesses may have similar transaction volumes as some of their
banking counterparts, they typically have smaller information security teams and spend. We
observe that CISOs from our retail clients are finding ways to do more with less, helping their
organizations secure tomorrow’s growth in a world of shifting consumer expectations,” said
Upen Sachdev, principal at Deloitte & Touche LLP.
Many participating organizations indicate that they are likely to increase spend or retain 2018 budgetary
spend for MSSPs in the coming year.
Lauren Dana Rosenblatt, deputy chief information security officer (CISO) for the Estée Lauder
Companies, said, “For CISOs and their teams, benchmarking metrics and information sharing
with retail industry peers provides visibility and useful context to build confidence from a
strategic perspective and situational awareness at a tactical level. Whether our focus is on
strategic planning or assessing our cyber threat programs, sharing information is a critical step
that can help influence how we evolve our abilities to better protect our consumers, employees
Highlights from the R-CISC MSSP Survey report include:
• Next generation CISOs are leading innovation.
o Respondents are driving in-house focus on orchestration, dark web monitoring, and hunting
while leaning on MSSPs to block and tackle.
• The most frequently leveraged managed security service is log monitoring with nearly all
respondents currently subscribing.
• Budget and talent are still top problems.
o 92% of respondents report that the cost of developing and maintaining in-house talent,
and/or challenges attracting and retaining talent are top reasons for leveraging MSSP services.
“All companies, including retailers, need to constantly adapt to stay ahead of today’s cyber
threats. Benchmarking with other companies plays an important role in enhancing our security
program at Target, supporting our team’s continuous improvement and getting visibility into the
state of the industry. Cyber security shouldn’t be considered a competitive advantage, but a
collaborative effort. Each company’s willingness to actively share information is crucial; the
more we share, the better we become at defending our companies and strengthening the
capabilities of the retail industry,” said Rich Agostino, CISO, Target Corporation.
About the Report
The R-CISC member companies provide expertise for the development of retail benchmarking
programs that meet the need for retail-focused data and demonstrate the impact of security
activities on business revenue. By harnessing input from member contributors and insight from
industry partners, the R-CISC’s goal is to produce a series of focused surveys that inform
member-derived products built to serve as a CISO reference for retail, gaming, restaurants,
hospitality and other consumer-facing businesses. The MSSP Benchmark Survey is first in a
series of surveys built to improve visibility, decision-making and prioritization abilities for CISOs.
R-CISC consulted Deloitte for its experience to develop the MSSP Survey of its members. The
full 2018 MANAGED SECURITY SERVICE PROVIDER (MSSP) BENCHMARK SURVEY report is
available to R-CISC retail members. A white paper on the report is available to the public. For
information about membership in the R-CISC, please contact Jennifer McGoldrick-Stenberg,
Director of Membership & Operations.
About the Retail Cyber Intelligence Sharing Center (R-CISC), the Retail ISAC
The R-CISC is the trusted cybersecurity community for retailers, consumer products, grocers, hotels,
gaming, restaurants, consumer financial services and cybersecurity industry partners worldwide. The RCISC
supports its member base, representing more than $1 trillion in annual revenue, by serving as the
conduit for collaboration, cooperation, and threat and best-practice sharing. Through building and
sustaining valuable programs, partnerships, products and opportunities, the R-CISC enables its members
to deepen their trust-based relationships, strategic knowledge and tactical capabilities. For more