As security risks are increasing, enterprises are hiring Managed Security Services Providers (MSSP), but many are struggling to extract value from them
Enterprise adoption of Managed Security Services (MSS) is gradually maturing, making the rewards and risks of leveraging these services clearer for customers. A recent report by Forrester Research, where they surveyed 140 MSSP customers states that, while some companies are leveraging the third-party security providers successfully, many are struggling to extract value from the partnerships.
Not just that, CISOs also find it challenging to justify the investment on MSSPs to the non-security executives due to lack of proper metrics and the technology complexity. Even the MSSPs find themselves struggling to connect their offerings to the issues that matter to organizations, be it for their customers, or stakeholders, and the way they support the business requirements.
Experts believe that these issues are primarily because organizations assume that managed security services is the same as outsourcing. In reality, most firms spend more time on security, especially after adopting an MSSP. This time can be spent more on valuable activities like tracking down serious threats, and on vulnerability remediation.
Data by 451 Research also shows that larger companies that have well-resourced information security use MSSPs for security operations functions like intrusion management, SIEM, and incident response services like managed detection and response.
If harnessed properly, a skilled MSSP can improve the organization’s overall quality of protection and allow the existing in-house security personnel to focus on strategic and impactful tasks.
To achieve higher success with MSSPs, enterprises need to consider four potential risks while implementing the program.
Failing to assess security strengths and weaknesses
According to experts, the most significant risks is collaborating with an MSSP, is choosing the wrong provider, one that does not clearly augment the company’s teams. Organizations first need to understand their capabilities, to be aware of the gaps they can address in partnership with an MSSP.
Another mistake companies make is that of relying heavily on the MSSP to understand their internal IT environment. Experts think that, if enterprises do not manage the process or conduct risk assessments, there is a high chance that things will drop through the cracks.
Not being prepared for information asymmetry
Companies generally are seen hiring MSSPs to perform tasks for which they do not have any onsite skills, which also diminishes their capability to assess the vendor’s SLA and delivery quality. Lack of this information is a significant problem with many managed service providers.
Limited analytics and integrations
In many cases, MSSPs also refuse to collaborate with non-contracted technologies, which results in limited integration with other security controls. This then requires enterprises to micromanage their MSSP’s interaction due to the complexity of the task and fixing security issues. Besides, a lot of MSSP alerts lack criticality and context, forcing organizations to work overtime to verify and double-check every alert.
Not testing the security practices of your MSSP
Attackers have started targeting MSSP systems and networks to later access their clients’ systems. Attackers are aware that compromising just one managed service provider will be enough to gain access to multiple customer networks, thus making MSSPs the entry points for attackers. Enterprises need to ensure that any MSSP they sign up with can drive these risks down.
Companies also need to dig deep into the vendor’s service delivery model and figure out their deployment and on boarding processes.
It is crucial to understand the MSSPs technology platform as well as the controls they possess for incident response. Experts think that this must be evaluated in the first cycle where companies must understand the services that are sold as modules or packages and map them to their security needs.