enterprisesecuritymag

Managed Security Services - A Business Partnership

By Peter Stevens, Head of Security Operations, Royal London Group

The threat landscape has changed dramatically in recent years, with a shift from protection being the default stance to one where assuming a state of compromise has now become the foundation of the cyber security strategy for many CISOs around the world. While Identify & Protect activities clearly have their place, this shift in mind set has placed a huge focus on Detect, Respond & Recover activities for cyber events, working to contain threats as they materialise in the hope these can be eradicated before they become business impacting.

Unfortunately that is not the reality. The proliferation of attack techniques has made this a challenging task, and this coupled with a highly competitive market to recruit the best security skills has seen many organisations turn to MSSPs for help in defending against the most determined adversary. Having held senior management roles in both the end user space and in the MSSP arena I have experience in the challenges faced at each end of the service.

Business partnering

Unfortunately a common gap I have seen in working within both end user and MSSP environments is the lack of business partnering. An MSSP needs to truly understand a customer to be considered an extended part of their team. Business partnering is much more than a monthly service review to show performance against SLAs, it is recognition of changing business requirements and adapting to those needs in order to help the customer navigate the competitive landscape they operate within. As the customer aligns their security strategy to underpin an evolving business strategy, the MSSP needs to align with them. Remember, the MSSP will not initially have a view of which risks take priority so there is much work to do to by both the end user and the MSSP to have alignment. All too frequently the MSSP turns their attention towards maintaining SLA’s only, in the hope that delivering against those is enough to retain the confidence. While this may suffice as a service provider, the MSSP will typically struggle to make the leap into business partnering.

"Requirements will change with the threat landscape, and as the adversary develops new ways to achieve their financial goals, defenders must be equally creative in detection techniques"

Cyber Security Services

The reason many organisations become unsatisfied with MSSPs is partly down to a lack of understanding of the customer’s expectations and a lack of understanding on the customer’s part of the MSSP’s services. Some MSSPs deliver their service using the same approach as any other IT managed service, it just happens to be security technology being managed. The relationship here normally goes along the lines of commencement of the service followed by benchmarking against expectations. At some point in the lifecycle the service starts to deteriorate, and after more than a few escalations the service provider sends in the account lead to wrap their arms around the service, produce a service improvement plan and get things back on track.

While this may work for a traditional managed IT service, the problem with using this approach in the MSSP world is that deterioration in cyber security service can result in serious consequences for the end user organisation. Each party therefore needs to fully understand the objectives to be achieved in a client MSSP relationship. The end user organisation typically has risk reduction at the top of their list, followed by an augmentation of the best security skills and tooling in order to detect & respond quickly to cyber events. Other objectives include cost reduction, the ability to flex up and down on security resources during busy periods while some MSSP engagements extend to threat intelligence services.

Documenting those expectations as requirements goes without saying, but remember, requirements will change with the threat landscape, and as the adversary develops new ways to achieve their financial goals, defenders must be equally creative in detection techniques. This is where the strength of the MSSP relationship is tested. If the MSSP is ahead of the game, detects the new threat as it appears onto the landscape and takes the lead on working with the customer to develop the security controls required then they take the relationship to a whole different level. I’m not simply referring to a new vulnerability here, but rather a new attack technique which requires some development work to detect. At this point the MSSP becomes a thought leader, bringing a level of insight and risk reduction to the customer that may be missed without the relationship. The MSSP at this point is considered an extended part of the customer’s security team, a business partner.

Expectations of the customer do need to be aligned however, unless you are paying a premium for ring fenced resource then you’ll be receiving a shared service. I have operated globally shared security services in a follow the sun model, domestic service in country for local language support and ring fenced services to premium customers. There are cultural differences to consider in a global model, as not all regions are equal in their approach to a problem.

In summary, if the customer enters the relationship with this understanding then whether it’s help with augmenting the skills in house to manage their security technology stack, a hybrid approach of triaging cyber events only or a fully managed service from the MSSP for the whole lifecycle of security services, the key to a successful relationship is business partnering.

Weekly Brief

Read Also

Digital identity - improving security and customer experience

Digital identity - improving security and customer experience

Margo Stephen, Head of Digital ID at Australia Post
Securing Telco Cloud for the 5G era

Securing Telco Cloud for the 5G era

Srinivas Bhattiprolu, Head of Advanced Consulting Service, Nokia Software
Risk Management in Times of Chaos. How To Survive It All?

Risk Management in Times of Chaos. How To Survive It All?

Magdalena Skorupa, Cyber Risk, Data Privacy & IT Compliance Director, Reckitt Benckiser Group
2021 - Are You Ready for the Future?

2021 - Are You Ready for the Future?

Sebastian Fuchs, Managing Director Manheim and RMS Continental Europe, Cox Automotive
How to Build A Successful Identity and Access Management (IAM) Program?

How to Build A Successful Identity and Access Management (IAM)...

Carlos Rodriguez, Director, IT Security & Risk, Citizens Property Insurance
Making Vulnerability Management Relevant to Your Organization's Needs

Making Vulnerability Management Relevant to Your Organization's Needs

Mike Holcomb, Director-Information Security, Fluor Corporation