When shopping for a Managed Security Services Provider (MSSP), there are plenty of checklists that you can download to help funnel you right to that vendor’s particular product. This isn’t that blog post, although at some point I am sure we have published one too. While checklists are helpful in narrowing down the capabilities and tools that you want to add to your probably already too big portfolio of tools, the focus should really be on the services that you will be adding to your existing team.
Candidly, the capabilities are generally similar across MSSP’s and cover some kind of SIEM platform, monitoring, incident response (IR), vulnerability management (VM) and a number of other competencies that are bundled into a managed service offering. They are bundled in part because these are what the vast majority of business lack and need, but also because the bundling enables sales, at scale, for product vendors and MSSP’s. It’s been our experience that the material difference from one product vendor or MSSP to the next, in your favorite version of a Magic Quadrant, covers features and capabilities that don’t ultimately make your business more secure or compliant. Often, it’s a distinction without a difference, especially for a security program that is still struggling with the blocking and tackling of cybersecurity-related patching, asset management, and incident response. So, beyond checklists, “threat hunting” and “advanced intelligence platforms”, where should your business focus when trying to make a mid to long term commitment with your first or a new MSSP?
Where Should Your Business Focus When Deciding on an MSSP?
Start with service, as in the service your business specifically needs to extract value from the MSSP relationship. The service your business needs are, in fact, unique to your business. If it wasn’t, you could pick the first Google Ads result that comes up (which isn’t the best MSSP for your business, just the best MSSP at creating Google Adword campaigns on any given day). Instead of analysis that is overly focused on the most advanced capabilities and toolsets, it will pay dividends to meet with a potential MSSP and align their offering with your business requirements. Selecting an MSSP is a business decision, even if the vendor marketing is geared towards making it a technology decision. For example, if you are in a highly regulated industry like Defense Contracting, and NIST 800-171 compliance is fundamental to your ability to win business, your MSSP should have core expertise in delivering on these security requirements. The technology, SIEM, VM, IR, etc. are a given but the ability of your MSSP to enable documented, automated and auditable compliance with your customer requirements isn’t. Ultimately, the MSSP you choose in this scenario should make compliance a natural outcome of day-to-day security operations so that over time you can focus more resources on actual defense. What does this look like in practice?
Achieving Compliance as a Natural Outcome of Day-to-Day Security Operations
For most businesses, it doesn’t look like a laundry list of acronyms and industry jargon about threat intelligence and advanced threat hunting capabilities. It looks like an integrated team, your internal staff (to the extent you have one) and that of your MSSP, working together on a weekly basis to deliver measurable outcomes over time. The tools leveraged by your MSSP can produce beautiful charts and endless trends but the critical questions to answer relate to outcomes achieved. It’s nice that an MSSP can tell you the top 10 vulnerabilities in your environment, but the outcome you should be focused on is remediating those vulnerabilities. If your team is too busy to patch or otherwise remediate the “top 10 vulnerabilities”, you just end up with a pretty graphic that doesn’t make you more secure or compliant.
To drive outcomes, instead of charts and trendlines, you must have a regular cadence of meetings with your MSSP focused on the things that matter most at any given point in time to your business. Ideally, these meetings are weekly and are more aligned with the initiatives underway within IT and Security and not just focused on the tools that the MSSP brought to the party. In our experience, the MSSP relationship is a combination of managed services and staff augmentation. Staying with the same example of NIST 800-171 compliance, if you are struggling to implement all 110 security requirements then drive your MSSP to help at a minimum, but ideally lead the efforts. Eliminate redundant meetings for your already oversubscribed team by incorporating your compliance and operational project management meetings into your weekly MSSP meetings. Create an integrated project plan with specific accountabilities for your team and the MSSP. Your MSSP should be working on your agenda and not driving theirs. If implementing Multi-Factor Authentication or Privileged Account Management is an internal priority for your business, a great MSSP will make it a priority for their business.
Partnering with the Right MSSP for Your Business
None of this is easy, but nothing worth doing ever is. Contractually it’s hard to create this kind of defined yet flexible arrangement and it generally requires an acceptance that outside of the core service offerings there will be a shifting list of priorities that you are going to rely on your MSSP to tackle. Not every MSSP is going to have the staff or program management skills to partner this way. If you have had a series of successful engagements and measurable outcomes with a professional services partner that knows your people, processes, and technologies but doesn’t show up on the “Top MSSP” list of the day, weight your personal experience over the pay to play marketing that dominates our industry.
To better understand what it means to contract for Managed Security Services that matter and what that experience can look like for your business, schedule a 30-minute introductory call with CyberSheath today and start your journey by focusing on outcomes instead of checklists.