Managed Security Services That Matter

By Eric Noonan • July 10, 2019

When shopping for a Managed Security Services Provider (MSSP), there are plenty of checklists that you can download to help funnel you right to that vendor’s particular product. This isn’t that blog post, although at some point I am sure we have published one too. While checklists are helpful in narrowing down the capabilities and tools that you want to add to your probably already too big portfolio of tools, the focus should really be on the services that you will be adding to your existing team.

Candidly, the capabilities are generally similar across MSSP’s and cover some kind of SIEM platform, monitoring, incident response (IR), vulnerability management (VM) and a number of other competencies that are bundled into a managed service offering. They are bundled in part because these are what the vast majority of business lack and need, but also because the bundling enables sales, at scale, for product vendors and MSSP’s. It’s been our experience that the material difference from one product vendor or MSSP to the next, in your favorite version of a Magic Quadrant, covers features and capabilities that don’t ultimately make your business more secure or compliant. Often, it’s a distinction without a difference, especially for a security program that is still struggling with the blocking and tackling of cybersecurity-related patching, asset management, and incident response. So, beyond checklists, “threat hunting” and “advanced intelligence platforms”, where should your business focus when trying to make a mid to long term commitment with your first or a new MSSP?

Where Should Your Business Focus When Deciding on an MSSP?

Start with service, as in the service your business specifically needs to extract value from the MSSP relationship. The service your business needs are, in fact, unique to your business. If it wasn’t, you could pick the first Google Ads result that comes up (which isn’t the best MSSP for your business, just the best MSSP at creating Google Adword campaigns on any given day). Instead of analysis that is overly focused on the most advanced capabilities and toolsets, it will pay dividends to meet with a potential MSSP and align their offering with your business requirements. Selecting an MSSP is a business decision, even if the vendor marketing is geared towards making it a technology decision. For example, if you are in a highly regulated industry like Defense Contracting, and NIST 800-171 compliance is fundamental to your ability to win business, your MSSP should have core expertise in delivering on these security requirements. The technology, SIEM, VM, IR, etc. are a given but the ability of your MSSP to enable documented, automated and auditable compliance with your customer requirements isn’t. Ultimately, the MSSP you choose in this scenario should make compliance a natural outcome of day-to-day security operations so that over time you can focus more resources on actual defense. What does this look like in practice?

Achieving Compliance as a Natural Outcome of Day-to-Day Security Operations

For most businesses, it doesn’t look like a laundry list of acronyms and industry jargon about threat intelligence and advanced threat hunting capabilities. It looks like an integrated team, your internal staff (to the extent you have one) and that of your MSSP, working together on a weekly basis to deliver measurable outcomes over time. The tools leveraged by your MSSP can produce beautiful charts and endless trends but the critical questions to answer relate to outcomes achieved. It’s nice that an MSSP can tell you the top 10 vulnerabilities in your environment, but the outcome you should be focused on is remediating those vulnerabilities. If your team is too busy to patch or otherwise remediate the “top 10 vulnerabilities”, you just end up with a pretty graphic that doesn’t make you more secure or compliant.

To drive outcomes, instead of charts and trendlines, you must have a regular cadence of meetings with your MSSP focused on the things that matter most at any given point in time to your business. Ideally, these meetings are weekly and are more aligned with the initiatives underway within IT and Security and not just focused on the tools that the MSSP brought to the party. In our experience, the MSSP relationship is a combination of managed services and staff augmentation. Staying with the same example of NIST 800-171 compliance, if you are struggling to implement all 110 security requirements then drive your MSSP to help at a minimum, but ideally lead the efforts. Eliminate redundant meetings for your already oversubscribed team by incorporating your compliance and operational project management meetings into your weekly MSSP meetings. Create an integrated project plan with specific accountabilities for your team and the MSSP. Your MSSP should be working on your agenda and not driving theirs. If implementing Multi-Factor Authentication or Privileged Account Management is an internal priority for your business, a great MSSP will make it a priority for their business.

Partnering with the Right MSSP for Your Business

None of this is easy, but nothing worth doing ever is. Contractually it’s hard to create this kind of defined yet flexible arrangement and it generally requires an acceptance that outside of the core service offerings there will be a shifting list of priorities that you are going to rely on your MSSP to tackle. Not every MSSP is going to have the staff or program management skills to partner this way. If you have had a series of successful engagements and measurable outcomes with a professional services partner that knows your people, processes, and technologies but doesn’t show up on the “Top MSSP” list of the day, weight your personal experience over the pay to play marketing that dominates our industry.

To better understand what it means to contract for Managed Security Services that matter and what that experience can look like for your business, schedule a 30-minute introductory call with CyberSheath today and start your journey by focusing on outcomes instead of checklists.

Schedule-One-on-One-Session-Link

CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMC-AB vice chair Jeff Dalton to address CMMC Con 2021

The swiftness and severity of recent cyber attacks has dominated headlines and revealed that many organizations still don’t quite know what to do to protect themselves, as well as the businesses and government entities they’re connected to.   Ransomware attacks were a big point of discussion at the recent G7…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft