The threat landscape has changed dramatically in recent years, with a shift from protection being the default stance to one where assuming a state of compromise has now become the foundation of the cyber security strategy for many CISOs around the world. While Identify & Protect activities clearly have their place, this shift in mind set has placed a huge focus on Detect, Respond & Recover activities for cyber events, working to contain threats as they materialise in the hope these can be eradicated before they become business impacting.
Unfortunately that’s not the reality. The proliferation of attack techniques has made this a challenging ask, and this coupled with a highly competitive market to recruit the best security skills has seen many organisations turn to MSSPs for help in defending against the most determined adversary. Having held senior management roles in both the end user space and in the MSSP arena I have experience in the challenges faced at each end of the service.
Unfortunately a common gap I have seen in working within both end user and MSSP environments is the lack of business partnering. An MSSP needs to truly understand a customer to be considered an extended part of their team. Business partnering is much more than a monthly service review to show performance against SLA’s, it is a recognition of changing business requirements and adapting to those needs in order to help the customer navigate the competitive landscape they operate within. As the customer aligns their security strategy to underpin an evolving business strategy the MSSP needs to align with them. Remember, the MSSP will not initially have a view of which risks take priority so there is much work to do to by both the end user and the MSSP to have alignment. All too frequently the MSSP turns their attention towards maintaining SLA’s only, in the hope that delivering against those is enough to retain the confidence. While this may suffice as a service provider, the MSSP will typically struggle to make to leap into business partnering.
Cyber Security Services
The reason many organisations become unsatisfied with MSSPs is partly down to a lack of understanding of the customer’s expectations and a lack of understanding on the customer’s part of the MSSP’s services. Some MSSPs deliver their service using the same approach as any other IT managed service, it just happens to be security technology being managed. The relationship here normally goes along the lines of commencement of the service followed by benchmarking against expectations. At some point in the lifecycle the service starts to deteriorate, and after more than a few escalations the service provider sends in the account lead to wrap their arms around the service, produce a service improvement plan and get things back on track.
Documenting those expectations as requirements goes without saying, but remember requirements will change with the threat landscape, and as the adversary develops new ways to achieve their financial goals, defenders must be equally creative in detection techniques
While this may work for a traditional managed IT service, the problem with using this approach in the MSSP world is that deterioration in cyber security service can result in serious consequences for the end user organisation. Each party therefore needs to fully understand the objectives to be achieved in a client MSSP relationship. The end user organisation typically has risk reduction at the top of their list, followed by an augmentation of the best security skills and tooling in order to detect & respond quickly to cyber events. Other objectives include cost reduction, the ability to flex up and down on security resources during busy periods while some MSSP engagements extend to threat intelligence services.
Documenting those expectations as requirements goes without saying, but remember requirements will change with the threat landscape, and as the adversary develops new ways to achieve their financial goals, defenders must be equally creative in detection techniques. This is where the strength of the MSSP relationship is tested. If the MSSP is ahead of the game, detects the new threat as it appears onto the landscape and takes the lead on working with the customer to develop the security controls required then they take the relationship to a whole different level.I’m not simply referring to a new vulnerability here, but rather a new attack technique which requires some development work to detect. At this point the MSSP becomes a thought leader, bringing a level of insight and risk reduction to the customer that may be missed without the relationship. The MSSP at this point is considered an extended part of the customer’s security team, a business partner.
Expectations of the customer do need to be aligned however, as unless you’re paying a premium for ring fenced resource then you’ll be receiving a shared service. I have operated globally shared security services in a follow the sun model, domestic service in country for local language support and ring fenced services to premium customers. There are cultural differences to consider in a global model, as not all regions are equal in their approach to a problem.
In summary, if the customer enters the relationship with this understanding then whether it’s help with augmenting the skills in house to manage their security technology stack, a hybrid approach of triaging cyber events only or a fully managed service from the MSSP for the whole lifecycle of security services, the key to a successful relationship is business partnering.