What makes a great managed security services (MSS) provider? Two simple phrases: so what and so long.
Suppose you, a business exec concerned about your organization’s cybersecurity defenses, scanned the online literature about cybersecurity trends. You’d find it rife with mind-numbingly huge numbers, provoking the proverbial fear-uncertainty-doubt (FUD) response. Terrifying statistics about millions of hackers with nothing better to do than probe your network while you run your business. Trillions of attempts on your firewall per second! 24/7! Gazillions of records exposed on the dark web. And on and on, zeros beyond counting.
By now, you’re sorry you ever investigated. Worse, you are no more enlightened about the reality of your situation than you were before.
So, you invite an MSS vendor in to help you understand. In full FUD fever from those frightening statistics, you sign a contract. And then you find yourself assailed with more of the same. Your morning dashboard blinks alarmingly with hundreds of alerts from your vendor, many with high severity (SEV) levels. You catch yourself muttering at your screen:
“So what! Will it impact us? Is it urgent? What action do we need to take? Whom do we need to inform? I don’t care how many times the firewall dropped an attack packet or how many times the SIEM set off an alarm. How many attacks were successful, and are we safe now?
The discouraging fact is, your vendor, whom you thought you were paying to manage your information security events, has just handed you a massive homework assignment. And will do so again, every morning, proudly.
If your efforts determine that a high SEV alert is false, they tell you, “Oh great – glad nothing bad happened. We’ll tune the systems to screen out that false positive. We’ve got you covered.” On the other hand, if it turns out to be an actual event, it’s, “Good thing you have us keeping an eye on things!” Lose/lose for you, win/win for them.
If that’s what you’re getting from your vendor, you could get the same thing for free from your newsfeeds. You could read about all the threats, attacks, penetrations, and exfiltrations going on and still have to figure out: “So what – what does this or that threat or attack mean for my organization? Is it hot or hype? If it’s hot, we are vulnerable and need to act fast and effectively.”
If your vendor isn’t giving you the “so what” with your daily alerts, you have to treat everything every day as hot – an overwhelming obligation given the amount of FUD data that swamps your dashboard.
At quarter-end, are you getting a summary report that has you muttering again? (Millions of this, thousands of that, don’t worry we’re keeping count, and all our SLAs are green)? Or are you getting a professional, useful quarterly business report that provides a thorough, un-FUD recap of the previous quarter’s significant events and a solid set of recommendations for what’s next? Where do we need to do better? What should our top priorities be? What’s coming down the pike for which we should prepare?
Protecting information security is a permanent endeavor, but your dependence on your MSS provider should not have the same permanence. Just the opposite. If they are not diligently working themselves out of a job and planning to say, “So long, we’ve transferred our expertise to you, it’s your show now,” they’re doing it wrong.
Why? Because the plain truth is that not even the best MSS provider can ever fully understand your business and its security needs as well as your internal people. No outsider sees your day-to-day business needs, challenges, and opportunities. They don’t know your customers. Their business alignment efforts will never equal those of your inside security professionals. Once your MSS shares its expertise and tools, you can achieve greater self-sufficiency.
There was a time when you could outsource all of your cybersecurity operations and sleep well. But today, when a company can be fined $5 billion for its security lapses, when boards of directors can incur personal liability, even criminal charges with potential imprisonment, and when CEOs are increasingly being blamed and punished for cybersecurity events, you want your MSS provider to be dedicated to helping your team become a cybersecurity powerhouse.
As for how you can you tell if your vendor is sincerely working themselves out of a job, ask these questions:
- Do they lack a rigorous, transparent knowledge transfer process?
- Are they using “black boxes” that your people cannot operate or algorithms that only the vendor understands or can tweak?
- Are they using an interface to manage your environment that is different from the interface your team will use?
If yes, then they are, in fact, jeopardizing your security, not ensuring it. You will never develop the internal expertise to face the future with its never-ending, ever more sophisticated criminal attacks.
If you can’t gauge your vendor’s mindset yourself, ask your people – they know the rhythms of a contract with a vendor who prioritizes renewals over performance. The first year of the contract goes fine – the vendor delivers value, and your people are thrilled to have the help and learn new skills. In the second year, you can sense resentment building as your people, and the vendors compete for recognition and control. By the third year, suspicion and unhappiness have bubbled to the surface. You suspect they are more focused on their revenue than your security, while they can no longer perform well without a cooperative internal team.
There’s a powerful irony to that process – such vendors do themselves a grave disservice. A willingness to say “so long” isn’t an eagerness to leave the client. It’s a mindset. It’s a commitment to deliver so much value and expertise to the client that the relationship endures. A vendor who does so much good for the client is not going to be lightly dismissed. By working themselves out of one job, they’ve elevated themselves to the position of trusted advisor. You look for them to help you grow profitably and bring novel ideas. Trusted advisors are invariably called upon to help with the next challenge and the next.