Gartner Blog Network


On MSSP Personnel

by Anton Chuvakin  |  October 28, 2014  |  4 Comments

Unlike with an on-premise SIEM or even still-mostly-mythical SaaS/cloud SIEM, with an MSSP contract you are paying for people and not just for the tools. This obvious fact – that “S” in MSSP stands for “services” and service implies people – somehow escapes some organizations. Let’s explore this a bit here. If you pick an MSSP partner with an amazing technology platform and unskilled, frequently-churning, lazy, perversely-motivated (tickets closed per hour, anybody?) personnel with questionable ethics and lack of proficiency in your language of choice, do you think your security monitoring capability will…

  1. … succeed brilliantly
  2. fail EPICally
  3. … would be no worse than now
  4. … can go whatever way.

I think you get an idea :-) Now, some of you may, in good faith, choose option 3). Frankly, I was thinking of coming up with some joke about it – but became sad instead …

A wise CSO once told me that in order to outsource a security process (such as security monitoring or device management) and achieve a great result, you have to know precisely how a great process of that kind looks like. Indeed, how would you know that your MSSP runs a great SOC, if you have never even seen one? The same applies to people. So, if you never hired and managed great security analysts, how would you know that your MSSP partner actually employs them? Sure, when you buy products you can rely on our research, the views of your peers or whatever other factors, but such methods are much harder for people and process aspects of your future MSSP relationship. So, I am sorry to break the news here, but thinking is involved!

One quality MSSP provider told me that his favorite MSSP client is one that knows exactly how an excellent security operations capability looks like (such as from his previous job, etc), but also knows that he cannot get one (no chance to hire, needs it faster than his can grow, etc, etc). This makes perfect sense: it is easier to conceptualize and understand a mature security monitoring operation than to actually have one materialize in your organization. Thus, if you know how one looks, you may be able to get that from that MSSP partner.

But back to people – in essence, you need to spend time learning:

a) how does a great security analyst look like?

b) whether your chosen MSSP partner has them?

c) whether they will be assigned to your account?

Otherwise, that MSSP may be cheap – rather than cost-effective. You want economies of scale in monitoring, not cheap crap in monitoring. And it is also your responsibility to understand the difference! So, learn about the security skill sets and relevant certifications, and then about whether the MSSP has them, and also whether their people have real experience fighting threats [and winning, at least occasionally :-)] and then continue checking whether that is still true as your relationship continues…

Finally, how was your experience with MSSP personnel?

Blog posts related to this research on MSSP usage:

Category: monitoring  mssp  security  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on On MSSP Personnel


  1. Ian Tibble says:

    The greatness of a Information Security Analyst is inversely proportional to the time spent in Information Technology. So if an Analyst has no sys admin, dev, DBA, etc experience at all, then they are an infinitely great Analyst.
    Ideally they MUST have CISSP but what is critical is that they must never have seen a command shell prompt on a Unix or Windows server. If they can understand DBA terms and construct SQL queries, they should not be encouraged to join a MSSP. Likewise with Cisco/Juniper/Checkpoint network infrastructure – experience in these areas runs counter to the business objectives of a MSSP. One does not need to know the significance of an IP address or even what it signifies – the software gives a red/amber/green indicator.
    Hope that helps. There is this crazy idea that infosec has something to do with information in electronic format!!

  2. […] This was cross-posted from the Gartner blog. […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.