During a recent trip to the Gartner Security and Risk Summit in Sydney, I attended a session on how to select a Managed Security Service Provider (MSSP), which had some really good points on what customers need to understand when evaluating an MSSP.
Traditionally, Managed Security Service Providers (MSSPs) have offered security services such as managed anti-virus, managed firewall, and web filtering which consist of conducting tasks such as implementing new config, applying software/firmware updates and providing monitoring to determine if the software/device is functioning as expected.
But the security game has changed. Today, cyberattacks are a real concern for every business - not just those at the big end of town or in specific industries. Malware and ransomware attacks are now widespread. While the above-mentioned traditional activities are still important, when hit by a cyber-attack, organisations need additional support from their MSSP to identify and deal with an incident as most organisations don’t have large security teams or skillsets to do this on their own.
Evidence of a breach can quickly vanish, so if you don’t have someone on the case early enough, you might not have the data to analyse what went wrong. Dealing with a cyberattack requires a collaborative effort from the organisation and their MSSP and therefore it is important for organisations to evaluate the MSSP on what supporting services they offer as a part of their managed security services agreement as this could be the key capability that protects an organisation from damage at the time of an incident.
On the other hand, MSSPs need to realise this as well. As stated by a Gartner analyst at a recent presentation in Sydney, most MSSPs would treat a customer incident as just another ticket, but this no longer cuts it. If a customer has an incident, it should be regarded as an incident for the MSSP. When a serious incident occurs, often the customer can be in a state of panic, which is when they need their MSSP to go above and beyond to help the customer resolve the situation quickly.
At Content Security, we offer incident response services in conjunction with our managed services and therefore we can advise the customer on how to prevent a cyberattack from affecting their business. We also have threat monitoring built into our managed services to monitor for threats on a 24x7 basis. This helps us to detect the threat early and get the incident response team in to help our clients prevent a breach or minimise the damage from a breach. We can even provide evidence for the courts and media to ensure that customers are able to publicly share the right information, rather than being left to identify and report on what happened on their own.
In Australia, under the Notifiable Data Breach (NDB) scheme, organisations that have obligations to secure personal information under the Privacy Act are required by the government to provide a report on the breach, but the organisation’s priority usually lies with containing the breach and determining what’s happened. Furthermore, often the right skills are not available to organisations internally for analysis and reporting of incidents, which is where a MSSP can greatly assist.
Gartner states that part of the role of the modern day CISO and CSO is becoming a good project manager, as it includes engaging the MSSP that is equipped with the requisite skills to work together with the different departments within their organisation to solve an incident.
Businesses are subjected to cyber attacks on a regular basis, and either don’t have the resources or time to be constantly dealing with these issues - they want an MSSP to come in, identify and solve the issue and then guide them and advise them on how to prevent such issues in future.
So how do you select the right MSSP?
When selecting a MSSP, you want to be sure they can help in a variety of areas as cyberattacks can’t be predicted and are ever-evolving. Personally, I would prefer an MSSP with more skill sets than I need, just to future-proof my investment. Technology is good but how it is managed makes a world of difference in an organisation’s security posture. As a customer, if I have a long-term investment in specific technologies then I would look for an MSSP that has experience supporting the technologies I own along with the additional skill sets, but if I am at a stage of renewing the technologies or if vendor contracts are annually renewed then I should let the MSSP select and deploy the technology they prefer as I should focus on the outcome and not the technology being used.
Also, some organisations deal with multiple partners/MSSPs but when there is an incident, the challenge is to get these organisations to work together. It is generally better to deal with one provider with varied skill sets rather than multiple providers that each have a specialist skill because time is of the essence when dealing with an incident.
What KPIs should I be looking for?
Traditionally, customers look for Service Level Agreements (SLAs) - things like “How quickly can you do this? How many requests? What is the time to resolution?”, and so on.
However, Gartner states that this is changing. There’s been a shift in emphasis towards thinking about outcomes, rather than just SLAs. Organisations need to know what issues their prospective MSSP can resolve for them and what the outcomes would be delivered, prior to engaging their services.
Part of this process is the creation of certain use cases. Consider what can go wrong, such as the ransomware or an attack on your web application etc. and go to the market with these scenarios. Ask MSSPs how they would respond to these situations, what outcomes will they deliver and then decide on the best candidate.
By doing so, will help you to determine who will best serve you. Organisations need remediation and positive outcomes to cyberattacks, so by taking this course of action, you will see who is best placed to deliver upon those requirements.