Foresite expert on navigating the MSSP jungle

Managed Security Service Providers (MSSPs) offer major benefits but choosing the right one for your business requires careful consideration. Marc Brungardt, President and Co-founder, Foresite, talks us through some of the key considerations for CISOs looking to utilise the benefits of an MSSP. 

As companies struggle to keep up with evolving cybersecurity threats and rapidly changing industry compliance requirements, many businesses are turning to Managed Security Service Providers (MSSPs) to bolster their cybersecurity posture.

Why? Building and maintaining an effective cybersecurity programme requires significant investment in personnel, technology and infrastructure.

Technology can be acquired easily enough, however, staffing and operationalising these investments is when things can quickly become considerably challenging.  The latest outlook on cybersecurity jobs indicates a worldwide shortage of nearly three million staff.  This shortage has created a crisis as demand for security professionals continues to soar to unprecedented heights.

Recruiting, retaining and having enough of the right experience to cover all the varied needs for an effective cybersecurity programme in today’s market is a daunting task. For the average business it simply doesn’t make sense financially to go it alone. Enter the MSSPs.

MSSPs specialise in delivering cybersecurity as a service.  Mature MSSPs typically operate one or more security operation centres (SOCs) which operate around the clock and are staffed by experts in many areas of cybersecurity and compliance.  In contrast, many in-house security programs are only staffed during business hours and often lack the comprehensive skills to effectively deal with all the cybersecurity issues a business will likely face. MSSPs provide elevated vigilance around the clock because threats don’t take nights, weekends and holidays off.  More importantly, an MSSP’s ability to readily bring many different and skilled resources to the table in times of need is a significant advantage for small teams.

MSSP services vary widely between providers and may include monitoring and alerting, device or policy management, incident response, threat hunting and more. Service level agreement (SLA) options may vary as well between providers.

For instance, here at Foresite we provide monitored, co-managed and fully-managed service models where we can either act as an extension of our customer’s IT department or we can fully own the function depending on the goals of the relationship.

Cybersecurity compliance frameworks vary by region and industry but fundamentally all necessitate, more or less, many of the same requirements including those around monitoring corporate infrastructure, storage of logs, incident and event handling.  With this mandate, companies must decide if they want to fulfil these needs internally or outsource some or all the functions to an MSSP.

The cost benefit of outsourcing to an MSSP vs DIY model is usually significant with many businesses saving upwards of 50% by the time they take into consideration software licensing, staffing, storage and facility costs.  Pricing models also vary among MSSPs with some providers charging based on throughput, per device, or some even on staff augmentation in conjunction with SIEM solutions.

At Foresite, we don’t provide staff augmentation and we only deliver services via our proprietary ProVision platform; however, we can and do provide both throughput and device-based pricing depending on the circumstances. We have found that most customers prefer device pricing as it provides CIOs an easy and quantifiable way to allocate budget to security operations as a service.

Once companies have decided to partner with an MSSP, choosing the right MSSP to partner with will make or break the success of the initiative.  We have compiled a short checklist of areas to consider while evaluating your options to avoid common pitfalls:

1. Gain an understanding of what software underpins the MSSP solution

• Everyone wants to be in the MSSP business; however, MSSP platforms are not commercially available for purchase. Instead, many MSSPs are resigned to piecing together several off-of-the-shelf solutions – many of which are not intended or designed for a multi-tenant MSP environment.  This could lead to scalability issues, limited customisation ability identified after inception and high licensing costs passed on to you.

2. Thoroughly evaluate the MSSP’s portal

• Most, but not all MSSPs provide a customer portal. A large portion of your customer experience will derive from the capabilities contained herein. For example: is it intuitive, easy to use and navigable?  Can you get the right reporting for your business?  Can you drill into raw log data on demand or does your MSSP need to package it up and send it to you (from experience, will be after the fact you need/want it)?

3. Evaluate references and experience

• Let’s face it, talk is cheap and experience counts. Take the time to speak to real customers to understand the value and relationship your MSSP provides with their customers.

4. How seriously does the MSSP take their own security?

• An MSSP will have access to sensitive areas of your network and should be managed as a critical vendor accordingly. Understanding what compliance frameworks your MSSP has and is attested for will say a lot about their readiness to have access to your network. At a minimum look for a third party audit from an industry body such as ISO.  This validates that appropriate controls are in place and that the company pursues industry best practices to evaluate their own business processes.

5. Where is the service delivered from?

• Many service providers look for the cheapest places in the world to locate operations centres where English may or may not be the first language. Be sure you are comfortable with the regions that you will be interacting with daily. More importantly, understand where your data resides.  Many business and government entities have regional restrictions on where data can be stored and accessed.

Lastly, here are a few tips to ensure that you achieve the benefits and value that you are looking for from your MSSP:

1. Be realistic

• Your MSSP doesn’t provide a magic veil that will negate all your security risks. In large part, your MSSP’s ability to be effective will be dependent on the technologies and tuning thereof that your company has invested in within the managed service.

2. MSSP partnership success is a two-way street

• Effective and clear communication is critical for success. You or your team will have to work with the MSSP on a regular basis. It is important that your team is prepared to make access available, answer questions, participate in changes, etc.

3. You still own the responsibility of your company’s security

• Unfortunately, partnering with an MSSP doesn’t negate your responsibility to own the security outcome for your business. Your MSSP is your partner to help you achieve the best outcome for this goal.