Patreon layoff their security team

Patreon Layoff Their Entire Security Team, Should You ?

Patreon layoff their security team. But WHY ? Outsourcing, automation and talent wars are the reasons. But can MSSP deliver all?

Some Patreon creators are saying they are going to delete their account after Patreon layoff all 5 members of their security team. Leaving Patreon is over reactive response since we don’t know yet what happen and who is going to take over the security processes.

Read related article:

PCI DSS Audit maybe the reason

Patreon is handling global payments from millions of users all over the world. They are required by VISA and MasterCard (or other credit card companies) to undergo PCI DSS audit. I believe they are at level 1 which is

PCI DSS compliance levels

Level 1: Applies to merchants processing more than six million real-world credit or debit card transactions annually. Conducted by an authorized PCI auditor, they must undergo an internal audit once a year. In addition, once a quarter they must submit to a PCI scan by an Approved Scanning Vendor (ASV). (from https://www.imperva.com/learn/data-security/pci-dss-certification/)

Level 1 audit is the highest standard and the requirements are stringent. Patreon IT operations is more like a bank !

In 2022, PCI Security Standards Council published Version 4 and replacing v3.2.1 by Q1 2024.

PCI DSS implementation timeline

My guess is that there was a PCI DSS audit and the result is not good or the security team did not handle the audit requirements well enough. (Sometimes it also depends on the auditors and their preparations)

Therefore the management team took a drastic approach on replacing the whole security team. It is unusual to fire a whole team in any company and the reason behind is likely not solely about costs.

BUT this news amplify what we have observed in recent years about cybersecurity challenges CIOs in medium size firms are dealing.

1. Talent Wars

How long it takes to hire a cybersecurity personnel? It can take forever if your firm is not flexible and willing to invest!

Cybersecurity analysts are like doctors in ER. They walk long hours and need to response to incidents with technical and business acumen! The IT network architecture, data sourcing and attack pattern are always in flux.

At the same time, many firms security team size is still small and they are in a hurry to increase the ratio. In Pateron cases, with around 400 full time employees their security is only 5. Consider they operate 24×7 payment operations, the ratio is low. And also a reason I believe they failed an PCI DSS audit.

To hire experienced security professional, a medium size firm will need to compete with banks, national security agencies, Internet giants and even VC-funded cybersecurity startups. I have seen some compensation packages from headhunters and it is no longer just take home salary!

If you are the CIO of a medium size firm, it is tempting to outsource the whole security operations and hold on the cybersecurity outsourcing contract as you lifeboat

2. Managed Security Services Providers

MSSP can come to rescue if you are willing to pay 3x of your security budget. Period. Just read the following Reddit users comments. I have no more to add.

I worked at an MSSP a while back and having a dedicated team was an option, but one that few were wiling to pay for. They offered a premium type service and the staff on those accounts carried no more than 3-4 customers max. It was highly customized and was a great option, but the cost was high too. In many ways I think customers have unrealistic expectations when it comes to MSSPs and the cost of their services. While it should certainly be cheaper than staffing in house it’s often not going to be a 10x savings.

Reddit user : https://www.reddit.com/user/bitslammer/

I’ve worked for an MSSP in a SOC and have worked with several MSSP/MDR vendors as a customer. I have yet to find one that I was happy with. Some of them do have teams that could provide more dedicated partnership, as in, you work with the same analysts or SMEs regularly, but this is often the top tier package and does not come cheap. Your standard package is going to be a revolving door of analysts that don’t have any information or detail of what a normal baseline looks like or how things fit or work within your environment. It’s always been a pain point of mine.

Reddit user : https://www.reddit.com/r/cybersecurity/comments/x9u6a7/comment/inr7j16/?utm_source=share&utm_medium=web2x&context=3

Anecdotally, I’ve never worked with a MSSP that I was impressed with, and good luck asking multiple 3rds to learn and work together to protect your environment.

Reddit user https://www.reddit.com/user/Beef_Studpile/

3. Automations

The holy grail of cybersecurity operation is automaton. Reduce manual tasks and lower detection error, speed up response. MSSPs have the ideal setup to experiment with automation strategy and automation is key their success, both on cost and quality. 

The security stacks and toolset from a MSSP is very likely more all-rounded and well maintained than a medium size firm. Therefore you need to look for MSSP with software development capabilities not just installing sensors.

Most of the commercial XDR or SIEM tools has APIs for automations but to use the APIs and do customisations, it usually require a premium level of product and more expensive. 

If the MSSP is using open source tools like Wazhu, then it gives the MSSP more flexibility on integrations and automations. But you as the CIO need to ask if they are using an open source tool just for save costs or they are willing to invests in developing automated work processes! Don’t go for those saying it is cost effective to use open source tools!  

Since you are reading automations, maybe you like to know about blocking malware without manual updates https://www.aplens.co/blog/how-to-stop-malware-with-a-url-whitelist

Leave a Reply