Managed Security Services (MSS) are changing how companies approach their cyber security strategies, the adoption of Managed Security Service Provider (MSSPs) to execute various cyber security functions for end-user organizations is also experiencing growth. The opportunities created by new methods and ways of delivering IT, such as cloud-based platforms and applications, DevOps and serverless computing, means that cyber security challenges are also increasing, and we need to come up with more creative approaches in overcoming these challenges. According to Gartner, at the core an MSS monitors digital security events and provides cyber security tools to enterprises, allowing these enterprises to reprioritise their limited resources. An MSS could be expected to manage IT security services remotely or on premise and provide enterprises with essential security tools that ranges from network monitoring, to threat intelligence, to Managed Security Operations centre (SOC). As organisations tackle the challenges of building their security defence capabilities, several questions would be encountered that requires the appropriate response. If you are yet to start your journey perhaps, I can provide some insights to help you on your way.
"As an organisation that wants the best value from an MSS, the ability to see your end goal may just tip the balance between a beneficial experience and an unsatisfied one"
What do you want from an MSSP?
For lots of organisations attempting to match the might or sophistication of cyber-attacks can be simply overwhelming or just too expensive, and an alternative approach may be to partner with an MSSP. Organisations with clear objectives are best placed in this relationship. Organisations must speak to their internal stakeholders, review their internal policies and consider their risk profile. Doing this provides valuable insight and a wish list that you can refine into requirements. Some common objectives for MSSP include:
• I want to improve the organisations overall cyber security posture
• I want to reduce the overall organisations overall cost of cyber security ownership
• I want to lower the risks of cyber security incidents impacting critical business services
• I want to benefit from external cyber security staff augmentation.
It is no surprise that companies frequently state how unsatisfied with the return from their MSSP investments. This is far too common. I would encourage organisations to consider having clear objectives to improve their chances of a successful MSSP experience.
What is your end goal?
So, after you determine your objectives – what do you do next? “How will you know when you have achieved your objectives”? This is where a good set of requirements come in. I cannot emphasise the importance of a clear set of requirements before you engage with the MSSPs. It is also a bad idea to rely on the MSSP to come up with requirements, let me explain:
• MSSPs have no knowledge of the priority of the risks that affect your organisations. The priority of cyber security risks differs across organisations, even organisations in the same sector facing the same threats have different risk appetites and view risks differently. This risk appetite must influence the selection of requirements.
• There is no sense of ownership. As an organisation you must be vested in this process, it would be unfortunate if requirements are ambiguous, or not a fit for the organisation, also there is a chance these requirements could be contested during the lifecycle of the service by internal stakeholders.
Your requirements are the roadmap to your end goal. As an organisation that wants the best value from an MSS, the ability to see your end goal may just tip the balance between a beneficial experience and an unsatisfied one.
Ask better questions?
Many MSSPs are expanding their portfolios with products in multiple cyber security domains, such as security information and event management (SIEM), managed detection and response (MDR), security analytics, dynamic application security testing, assessing containers and cloud services, vulnerability management, endpoint protection, threat intelligence, penetration testing, internet security, Identity and access management (IAM), and Security Operations centre (SOC). A common pitfall is to ask questions only focused on the technology that sits behind the service, let’s face this is the “eye candy” of the service. My advice to you, don’t ignore the technology but don’t focus on that alone. Every interviewer will tell you if you want to know more about a candidate ask open ended questions, if you ask questions that end up with responses that just tell you what was written on their resume then you have learnt nothing new. Scenario questions always reveal a bit more about a candidate as it highlights not just their skills, but how they communicate, handle pressure and respond to deadlines, the MSSPs should not be any different. Ask the MSSPs who provide vulnerability management service how can their service help your business prioritise critical vulnerabilities not if they can detect critical vulnerabilities. When you ask scenario questions this elevates the MSSPs value proposition to your organisation which would lead you to make a more informed selection decision. To get the best return on investment you would need to be asking the right questions during the selection process. The wrong questions could lead you down the path of a bad investment and more likely lead to a fatigue of internal resources or worse the devaluing of the cyber security capabilities to the business.