Gartner Blog Network


How To Work With An MSSP Effectively?

by Anton Chuvakin  |  September 3, 2014  |  6 Comments

My next research project at Gartner GTP will be about working with managed security services providers (MSSPs). We have great content that compares major MSSPs (such as MSSP Magic Quadrant), but none yet on how to work well with one.

In the past, our team’s work focused on helping people who “do stuff” (as opposed to those who “find people to pay for doing their stuff for them”), and this document would be a bit of a departure from that tradition.

In my effort, I plan to tackle questions such as these:

  • What can an MSSP do well in security monitoring vs just OK vs not at all?
  • How to onboard an MSSP provider and prepare for an effective joint operation?
  • How to provide the right information for the MSSP to succeed?
  • How to work together with MSSP for improving security?
  • How to learn from the MSSP operations and improve yours?
  • How to define the right SLAs for various security activities?
  • How to build joint workflows with an MSSP?
  • How to MSSP-enhance various security operational practices?
  • How to avoid pitfalls with security monitoring outsourcing?
  • How to run a hybrid MSSP+SIEM operation?

(Got any other ideas? Hit the comments!)

And here is my call to action:

  • Are you at least a semi-decent MSSP and have something useful to say about it? Here is a briefing link … you know what to do! I’d love to hear what advice you give clients on how to succeed with your services
  • A consultant who advices clients to select [or avoid] MSSPs, care to share your experience?
  • Enterprises, got an MSSP story to share – both WIN stories or FAIL stories will do fine? Hit the comments or email me privately (Gartner client NDA will cover it, if you are a client).

Category: announcement  mssp  security  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on How To Work With An MSSP Effectively?


  1. Matt says:

    Almost all of the MSSPs also provide IR services. Ask them how many IR engagements they participated in the last 12 months. Then ask them how many of those IR engagements were the result of their own MSSP service identifying and escalating an incident. They probably can’t tell you. Crickets chirping. Does it seem at all unusual that IR isn’t the intentional and natural byproduct of security monitoring? That MSSPs don’t even attempt to track that relationship? The real challenge with security monitoring, whether managed or not, is making sure it’s not just theater, and that you’re actually positioning the organization to identify incidents quickly. What are some things we can do to make sure we’re getting that from an MSSP?

  2. Thanks for an excellent point, Matt! IR services from MSS which are not triggered by the MSS monitoring would worry me a lot

  3. […] ← How To Work With An MSSP Effectively? […]

  4. […] MSSP may work for you, but you need to be aware of these and other challenges as well as to plan how you will work with your MSSP […]

  5. […] MSSP may work for you, but you need to be aware of these and other challenges as well as to plan how you will work with your MSSP […]

  6. […] MSSP may work for you, but you need to be aware of these and other challenges as well as to plan how you will work with your MSSP […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.