How to Choose the Right MSSP for Your Organization
We’ve written blog posts on the 5 Benefits of an MSSP, The REAL Benefits of a MSSP, and we had a two-part series on How to Improve Your Security Operations Center. However, because the security landscape is constantly changing, technology is improving and the partnership between the MSSP and the internal IT security organization is ever-evolving, we wanted to give you a different perspective. Bill Boni wrote our last two blog posts and as the former Senior Vice President of Information Security at T-Mobile USA and Corporate Security Officer at Motorola, we wanted to get a head of security’s perspective on what makes a good MSSP for your organization.
The 5 Benefits of an MSSP
The REAL Benefits of an MSSP
How to Improve Your SOCs Effectiveness – Part 1
How to Improve Your SOCs Effectiveness – Part 2
How Do Organizations Leverage MSSP’s?
Before we start with Bill, let’s start with a look at what IT security teams are saying about their current and upcoming needs. In Kapersky’s last study of more than 5,000 IT professionals, they found that organizations of all sizes are increasingly turning to managed security service providers (MSSPs) and managed service providers (MSPs) to augment their internal IT security teams.
The benchmark Global Corporate IT Security Risks Survey found that approximately 70% of the organization’s plan to outsource security to an MSSP or an MSP during the next 12 months. The report is the fourth in a series on IT security economics from security provider Kaspersky. Nearly 75% of those companies turning to MSSPs or MSPs said that outsourcing would likely reduce their security-related costs. In addition, 22 percent of small-to-medium-sized businesses and 26 percent of large organizations pointed to outsourcing as a top reason for reducing their IT security budgets.
The study also suggested that one of the top reasons why organizations rely on MSSPs and MSPs is that they required “specialized expertise.” Here at SecureOps, we are seeing increased demand for services like penetration tests, 3rd party management of firewalls, IDS/IPS, SIEMs, and posture assessments. Being able to install, configure and manage technology like a SIEM is a specialized skill that many organizations do not have in-house. Organizations are also asking for point-in-time specialized professional services like penetration tests, compliance assessments, security posture assessments, and help with their vulnerability management processes.
Finally, the study found that in addition to financial effectiveness and specialty requirements organizations also needed assistance with the complexity of business processes (41%), scalability (34%), compliance requirements (38%), and the efficiency of delivering cybersecurity solutions (50%).
Additional findings from the study include:
- 52% of enterprises and 45% of SMBs have a dedicated IT security department.
- 20% of enterprises have an internal security operations center and 14% employ a special malware analysis team.
- 44% of enterprises have a security function that is managed as part of a wider IT department, compared to 50% of SMBs who rely on this particular setup.
- In addition to a SOC, 17% of companies said that they have dedicated threat intelligence teams and 8% employ a dedicated malware analysis team.
- 67% of all businesses expect that their investments in IT will grow in the next three years. Among them, 37% of enterprises are driven by a desire to improve internal specialists’ expertise.
What CISO’s, CIO’s and Heads of Security Want from an MSSP
Bill provided an interesting perspective concerning the type of benefits and insight heads of security look for when they partner with an MSSP. “I’ll start with the problem that many of us have had over the past few years to illustrate the assistance my IT security teams require from our MSSP partnerships. Organizations have been in acquisition mode in many industries; particularly in the technology space. One of the issues with merging companies is consolidating IT security people, processes, and technology. For example, in a single acquisition, our organization found ourselves with over 120 different security technologies.
I’m sure I don’t need to tell you that not even Fortune 100 organizations like those I’ve been a part of need anything close to 120 security technologies. In addition to consolidating the technologies, we had to find the right people within the new, combined organizations to manage the technology. Finally, both organizations had two separate security processes including how we handled incidents, our network security design, vulnerability management processes, and risk management policies. So, with this merger of equals, we had to address massive technology, people, and processes and we had to do it in a hurry because, as you know, bad actors are constantly looking for opportunities to strike.
Our first task was to trim the number of security technologies and we needed expertise concerning which technologies would be the right fit for our layered security solution. I knew I was not going to get the independent advice I needed from the vendors like Cisco, Fortinet, or Palo Alto; I had to find experts that would provide unbiased, intelligent advice. I did. The MSSP I partnered with had the experts and resources to help us design a new, best-in-class security solution from all of the security technologies we inherited as well as the solution we had in place.
I don’t know that I can emphasize how critical it was to have a partner that could provide expertise and guidance at every turn. They provided expertise on technology and supplemented our overworked staff so I could keep our organization engaged and limit their responsibilities to something manageable. They tailored solutions across our environment and SOC to fortify our solution with the right resource at the right time.
The bottom line for an MSSP to be a successful partner, they need to be flexible, have a diverse array of expertise, contribute in a timely manner, provide unbiased recommendations, and ultimately tailor security solutions to the needs of the client. Most MSSPs that I’ve worked with want to provide a single solution at the beginning of the relationship, sign the contract, and only change the solution with a work order that often comes with long lead times and high costs. There is no way that model will work in this dynamic security environment. Our stakeholders demand security protection delivered in a cost-effective manner; that is good risk management.”
Five Questions to Ask Your Managed Security Services Provider
We want to make this blog post actionable for our readers. We provided links to our other blog posts on improving and selecting an MSSP, however, we also want to provide you a place to start in terms of finding the type of partner Bill described in the last section. We know that the lack of cybersecurity talent coupled with the increasing complexity of threats and networks, a heightened regulatory environment, and an accelerating pace of innovation is driving many organizations to look outside their walls for cybersecurity protection.
We also know that finding the resources to address the evolving cybersecurity landscape effectively can be challenging. Making the protection challenge even more difficult is today’s attacks are stealthier than ever. To understand and protect against them, organizations need to mobilize all aspects of their defenses to focus on the threat, including services.
It’s about gaining visibility and control across the extended network and the full attack continuum – before an attack happens, during the time it is in progress, and even after an attack may have been successful, with information stolen or systems damaged. This new threat-centric model is driving changes in cybersecurity technologies, products, and services alike.
In the Gartner 2021 CIO Agenda Survey, cybersecurity was the top priority for new spending, with 61% of the more than 2,000 CIOs surveyed increasing investment in cyber/information security this year. Security services including consulting, hardware support, implementation, and outsourced services represent the largest category of spending in 2021, at almost $72.5 billion worldwide
The first wave of managed security service providers (MSSPs) focused on getting products and tools up and running, maintenance, upgrades, and training. But today, effective cybersecurity services need to be based on an in-depth and continuously evolving knowledge of the threats themselves, not just the operations of the technology. Reflective of a new era in how we must address cybersecurity, some industry analysts are starting to call this next wave of security services MSSP 2.0.
Based on in-house security skills, budget, and competing business priorities you may choose to outsource more or less of your cybersecurity needs. Wherever you fall on the outsourcing continuum, when evaluating managed security services, the following five questions can help ensure you get the support you need to stay focused on the threat.
1. Is the team that the MSSP is assigning to your organization dedicated?
With many industries’ increased dependence on technology and sensitive data, the need for 24/7 system monitoring is growing. Managed security services provide this non-stop monitoring, as well as other ongoing cybersecurity management tasks. The problem many organizations have with the MSSPs that they choose is constant churn among the team. There is a significant learning curve to every organization’s people, processes, and technology, – untrained, outsourced staff increases the probability that a mistake will be made. If they don’t know your event escalation process, how to handle alerts from your technology, or how to mitigate a threat when the full-time staff is not available, the chance for error certainly increases.
2. Who is creating the Service Level Agreements (SLAs) and can they be changed?
Creating service level agreements (SLAs) may not be the most exciting aspect of the role of a managed security services provider, however, it is an absolutely essential part of the client relationship. An SLA document is usually broken down into several categories based on the priority level of submitted support requests with a minimum response time and minimum time to resolution value.
Every SLA should include specific performance metrics, like incident response times. Metrics should be realistic, easy to quantify, and relevant to the client! Sorry about the exclamation point, however, many MSSPs use boilerplate SLAs across the clients they serve. Obviously, every client is different, and some have their own incident response capabilities, security analysts, security engineers, and so on and do not require SLAs in those areas. However, they may require SLAs in other areas due to other issues like industry compliance or country and state compliance.
3. How does the MSSP price its services?
MSSP service pricing has not become standardized like so many other industries in consulting and service delivery. Organizations have to be careful when signing a contract with an MSSP for a variety of reasons including the critical fact that they will likely need services or staff augmentation outside the services they contracted. Many MSSPs do not have processes in place to provide the organization assistance quickly and cost-effectively.
Think of the Log4J/Log4Shell vulnerability mess, where that vulnerability had to be scanned for and patched on the majority of systems in most organizations. Very few organizations would have ever planned for this, but they had to patch and test the systems in a timely manner to avoid being attacked.
Based on my research, the average costs you can expect to pay range from $99 dollars per month to $250 dollars per user per month when MSSPs are priced by the user. MSSPs also charge by device, data, or cloud services or they may have tiered pricing based on the number of users and expected services.
4. Who establishes the Objectives, Deliverables, and Processes?
This is just like SLAs; objectives, deliverables, and processes must be dictated by the client and not the MSSP. Every client is going to have strengths and weaknesses; they are going to require their MSSP to fill the gaps and if the MSSP is too inflexible to match the needs of the client, cyber defense and compliance will suffer.
Consider the extraordinary shift to remote work when the pandemic hit. The attack surface for most organizations grew dramatically and IT security’s objectives changed in parallel. They were tasked with providing access to systems and sensitive data to new remote workers without creating risks. In addition, they had to handle a deluge of Covid-related scams which we discussed in an earlier 2-part blog post.
MSSPs have to be able to maintain flexibility to meet the needs of the client, changing threat environment, evolving technology, and internal and external compliance requirements.
5. Is the MSSP able to provide additional qualified staff quickly and cost-effectively?
The reason many organizations hire MSSPs simply boils down to the oft-bemoaned IT security skills shortage. Many IT security staffs find themselves overtaxed in trying to ensure systems are operational, and with new initiatives, such as migrating to the cloud or hybrid models, they simply lack the expertise or the time required for researching, installing, configuring, and managing security products and systems. Compliance initiatives that continue to ratchet up requirements, as well as an increasingly sophisticated threat landscape, also compound the problem.
Make certain you know what resources your MSSP partner can provide at a moment’s notice. It’s fine to have niche partners for policy development, training, education, and other responsibilities, however, your primary MSSP partner should be able to augment your staff in diverse areas quickly.
Given today’s business, regulatory, and cybersecurity challenges more and more organizations are looking for outside, expert help to protect their environments from cyber-attacks. By asking these key questions you can help ensure you’re staying focused on the threats themselves in order to gain the protection you need.
This blog post went a bit longer than I imagined when Bill and I got together to discuss what makes a great MSSP partner, however, the goal was to provide you with the information you needed to make a good decision without boring you to death; hopefully, we did that.
I love the episode of Seinfeld (40-second clip on YouTube) when Jerry loses his trusted auto mechanic David Putty and is afraid his new mechanic may not be trustworthy. His good friend George Costanza provides excellent advice; I’ll paraphrase, “of course, they are going to screw you, that’s what they do. He could tell you they have to put in a new Johnson Rod; you have no idea.”
It is roughly the same with security services. There is no way you or your staff can know everything about every piece of security technology or every aspect of security including digital forensics, incident response, log management, compliance…I could go on. You need an MSSP that can be flexible, cost-effective, quick to respond, and above all trustworthy. Don’t hire the MSSP that would sell you that Johnson Rod.
To Learn More About How to Defend Against Malware Attacks or If You Have Been Attacked Please Call Us – as Always, We Are Happy to Help – 1 (888) 982-0678.
You Can Also Fill Out Our Contact Us Form Here to Talk with a Security Specialist – https://www.secureops.com/contact-us/