Managed Security Service Providers (MSSP) – the agony of choice
The market for Managed Security Service Providers (MSSP) is large and confusing. This makes it all the more important that the RFP process follows clear standards.
With hundreds of potential vendors and a lot of marketing buzz, the Request for Proposal (RFP) process for selecting the best Managed Security Service Provider (MSSP) for a company’s specific needs is no easy task. However, since board members are increasingly resisting security spending and want evidence of actual risk reduction, evaluating a suitable partner is not too easy. Decisions should be made according to objective and evidence-based criteria.
In order to better penetrate the jungle of offers and service providers, the specialists from Kudelski Security point out eight considerations that should be taken into account when evaluating managed security services.
1. Should attacks be detected and rendered harmless or is it just about fulfilling compliance goals?
Which goal should be fulfilled with the help of the service provider? Is it primarily about compliance with regulations or should the number of attacks actually be reduced? The unfortunate reality of the current threat situation is that compliance usually lags behind attack tactics. Until the adoption of the regulations, the methods of hackers have already evolved. Simply put, if it’s all about regulatory compliance, the cheapest provider should be chosen.
However, if a careful assessment of cybersecurity shows that the organization can benefit from better security, the partner who can best identify and respond to risks and attacks should be chosen. The costs are probably higher than just following the regulations, but the risk of an attack is reduced more effectively and sustainably than if it is just about compliance.
2. More transparency leads to better detection and response
A decisive factor in today’s IT environments is that the infrastructures are becoming more and more diverse and decentralized, the systems are increasingly interconnected and the attack surfaces are becoming larger and larger. However, it is impossible to ensure effective monitoring and detection of threats if there is no security telemetry and transparency. Here it may be useful to commission an independent expert with an assessment. This gives decision-makers a better and more objective overview.
Security officers should choose a provider that detects and eliminates blind spots in order to create transparency and achieve the set goals. The service provider should also have expertise and experience in several technology environments, such as on-premises infrastructures, cloud environments, endpoints, industrial control systems (ICS) and operational technology (OT). In addition, it should be ensured that the security provider has experience with the system that is used in the company. This allows log data to be collected and vulnerabilities to be eliminated.
3. Pay only what is needed
Once a provider has been found who meets the requirements, can meet the goals and already has experience with similar environments, further discussions should be held. Even if the first offer does not meet the budget, a lot can still be done by clever negotiation. Often it is enough to reduce the scope of the contract. The most valuable functions are aimed at detection and response. Tactical activities at a lower level – for example, the management of password resets, vulnerability management or an IAM solution – can be shortened from the contract without the performance of the managed detection and response provider suffering. However, this should not be at the expense of the security transparency of the essential business function. The main provider must always have a complete overview of all processes. If critical functions are outsourced to other companies, the service provider can no longer react as quickly and effectively to attacks as necessary.
4. Weigh up exactly: retain or outsource functions
In some cases, it makes sense for the internal IT or security team to take over some routine tasks. On the one hand, this is cheaper, on the other hand, their own employees have corporate expertise, which makes them much more effective than external providers.
Especially recognition engineers are highly sought after, difficult to find and only with great effort to educate and further train. Since you need to have extensive knowledge of end devices, operating systems, cloud infrastructures and all the other tools and technologies, it often makes sense to hand over this task to an MDR service provider who has access to the talents. The teams usually have many years of experience and are continuously employed and trained.
5. Results are decisive, not the most attractive technologies
The cybersecurity industry continues to develop at breakneck speed. However, one should not be blinded by the promises of new technologies. Often, the consistent implementation of the basic measures already brings the hoped-for effect. This means that the transparency and the ability of teams to detect and respond to threats must be improved instead of relying on trendy new technologies.
6. Replace old technologies only when it makes sense
The latest and greatest tools and technologies don’t automatically add value to businesses. In some cases, however, an update may be worthwhile. In no case can it hurt to focus on the security goals again. It is unlikely that a high-quality MDR provider will be able to work well with any SIEM or cloud security platform. On the contrary, anyone who claims that they support all the technologies that their customers use is either dishonest or ineffective. Decision-makers should have an honest dialogue about the possibilities and limitations of their systems and weigh up which provider can optimally support them.
7. Evaluate offers and SOWs on the basis of meaningful SLAs: Do they contribute to the security goals?
Service level agreements that are not meaningful are all too common in today’s world. If the desired result is to detect and respond to the spread of ransomware in the corporate environment quickly enough, then does the volume of resources allocated to the account matter? Only key figures should be used that are meaningful and can be measured.
8. Decisions should be made by those who understand both the business risks and the desired results
All too often, purchasing has the last word when choosing a service provider. Procurement departments often strive to achieve business goals at the lowest possible cost, and may not understand the nuanced differences between vendors or the security goals that the company wants to achieve. Security officers should make the final decision or at least be heavily involved in it. Only you can accurately assess how well the service provider can support and what impact a failure of the security systems has on the business goals.
About Kudelski Security
Kudelski Security is the most important security consultant and innovator in the field of cybersecurity for security-conscious companies. Through the approach of long-term partnership with customers, Kudelski Security can continuously assess the security situation of companies and recommend solutions that reduce business risks, ensure compliance and generally improve the effectiveness of security measures. Among its clients, which include Fortune 500 companies and government agencies in Europe and the United States, Kudelski Security works in the most complex environments and uses a unique combination of solutions, which include consulting, technology, managed security services and custom innovations.