The ominous volume and seriousness of cyber threats, coupled with an acute, long-term shortage of trained cybersecurity professionals, have made it highly probable that your company will be outsourcing some — or all — of its cybersecurity work. Only the world’s largest businesses can handle security 100% internally, and even those have started to use Managed Security Services Providers (MSSPs) for selected tasks.
However, it can be challenging to find the right MSSP for your particular business.
Nemertes, the technology analyst firm, is helping security and IT leaders address this problem with its new MSSP Buyer’s Guide and accompanying infographic. These help clients evaluate potential providers, including those offering Managed Detection and Response (MDR) and Security Operations Centers-as-a-service, also known as SOCaaS. Their suggested criteria range from basic elements of operational excellence like depth-of-bench and process maturity to more sophisticated, and important, issues like competency with advanced security tools including machine learning, behavioral analytics, and “artificial intelligence (AI).” Here’s a recap of Nemertes’ top tips.
If I were to look into a crystal ball and make a prediction for 2022, I would say an MSSP, MDR service or SOCaaS is in your future. Nemertes analysts agree, because the alternative is to take on what amounts to an open-ended expansion of your cybersecurity staff, toolset, and budget. The increase in the threat environment is just one driver of this reality. There’s also been a major shift in compliance requirements and how IT assets are deployed, which affects security risk, policies, and processes.
The days of the traditional enterprise, with a clear perimeter, are over. Nemertes studies tell us that since 2020, more than half of enterprise workloads are running outside enterprise data centers. Why? Factors include remote work, cloud applications, more use of personal devices on company WLANs, the “Internet of Things” (IoT), as well as the accelerating pace of software releases from DevOps and related methodologies. All of this makes security far more challenging.
It will be difficult, if not impossible, to recruit and retain enough people who have the skill sets to keep such distributed and technologically varied environments secure. And, even if you can find the talent, it may not be financially feasible to have a large SOC staff to monitor incidents and respond on a 24/7 basis. Managing security can put companies in an endless responsive mode that Nemertes describes as a “whack-a-mole” situation that benefits no one. So, you can see why outsourcing security tasks starts to look very appealing when all of these issues are taken into consideration.
What makes for an effective MSSP, MDR service, or SOCaaS? Every client will have to find a service provider that meets its distinctive requirements. However, as Nemertes lays out in their paper, the best practice is to assess prospective vendors according to criteria that include the basics, as well as more nuanced qualities like their ability to work with a risk-based approach.
Any MSSP worthy of serious consideration must offer the core elements creating the foundation for the relationship. These include:
An MSSP will ideally offer a tool chest of ready-to-go technologies, allowing the client to select the ones they need to fill any gaps in their existing security investments. Most companies already have their own tools, and the best providers will integrate with those rather than asking clients to rip and replace.
For instance, Masergy offers a toolbox covering network, cloud, and endpoint security:
Flexibility is key for cost savings and for gaining wide security awareness, but equally important are the back-end technologies the provider uses behind the scenes of their SOC operations. MSSPs should leverage:
Another area to probe is the MSSP’s ability to help your organization with important security frameworks. Can an MSSP, MDR service or SOCaaS be a strategic partner in improving your security through the National Institute of Standards (NIST) Cybersecurity Framework, Center for Internet Security (CIS) controls, a Zero Trust architecture and the like? Providers should be intimately familiar with these best practices and able to help you implement and improve your security program by aligning it with such well-respected, systematic security frameworks.
A risk-based approach is helpful in an MSSP relationship, so it is a valid criterion for vendor selection. The idea here is to frame the MSSP’s services and responses in terms of risk, such as financial impact on your business. By taking a risk-based approach, you and the MSSP can come to an understanding of what each threat response should be and what does not constitute a real threat. This way, you can avoid wasting time and resources on low-risk issues.
You’ll also have to take care of “your side of the street,” so to speak. For instance, if your team doesn’t have its own security processes in order, for things like escalation and notifications, then adding an MSSP to the mix can complicate things. At a minimum, you’ll struggle in the on-boarding phase of the relationship. On a related front, you need to understand your own security objectives and sense of risk before you engage with an MSSP. The MSSP could help you develop a risk “heat map” to determine your focal areas (what needs the most protection) and most valuable digital assets, but it’s a good idea to discuss this before you bring on a new vendor.
Choosing the right MSSP, MDR service or SOCaaS may turn out to be a challenging endeavor. But, given the importance of the relationship, it’s worth making the investment of time up front to avoid trouble down the road. I invite you to explore the Nemertes MSSP Buyer’s Guide, a methodical and insightful approach to making a decision that will bode well for your security posture going forward.