Unlike with an on-premise SIEM or even still-mostly-mythical SaaS/cloud SIEM, with an MSSP contract you are paying for people and not just for the tools. This obvious fact – that “S” in MSSP stands for “services” and service implies people – somehow escapes some organizations. Let’s explore this a bit here. If you pick an MSSP partner with an amazing technology platform and unskilled, frequently-churning, lazy, perversely-motivated (tickets closed per hour, anybody?) personnel with questionable ethics and lack of proficiency in your language of choice, do you think your security monitoring capability will…
- … succeed brilliantly
- … fail EPICally
- … would be no worse than now
- … can go whatever way.
I think you get an idea 🙂 Now, some of you may, in good faith, choose option 3). Frankly, I was thinking of coming up with some joke about it – but became sad instead …
A wise CSO once told me that in order to outsource a security process (such as security monitoring or device management) and achieve a great result, you have to know precisely how a great process of that kind looks like. Indeed, how would you know that your MSSP runs a great SOC, if you have never even seen one? The same applies to people. So, if you never hired and managed great security analysts, how would you know that your MSSP partner actually employs them? Sure, when you buy products you can rely on our research, the views of your peers or whatever other factors, but such methods are much harder for people and process aspects of your future MSSP relationship. So, I am sorry to break the news here, but thinking is involved!
One quality MSSP provider told me that his favorite MSSP client is one that knows exactly how an excellent security operations capability looks like (such as from his previous job, etc), but also knows that he cannot get one (no chance to hire, needs it faster than his can grow, etc, etc). This makes perfect sense: it is easier to conceptualize and understand a mature security monitoring operation than to actually have one materialize in your organization. Thus, if you know how one looks, you may be able to get that from that MSSP partner.
But back to people – in essence, you need to spend time learning:
a) how does a great security analyst look like?
b) whether your chosen MSSP partner has them?
c) whether they will be assigned to your account?
Otherwise, that MSSP may be cheap – rather than cost-effective. You want economies of scale in monitoring, not cheap crap in monitoring. And it is also your responsibility to understand the difference! So, learn about the security skill sets and relevant certifications, and then about whether the MSSP has them, and also whether their people have real experience fighting threats [and winning, at least occasionally :-)] and then continue checking whether that is still true as your relationship continues…
Finally, how was your experience with MSSP personnel?
Blog posts related to this research on MSSP usage:
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
The greatness of a Information Security Analyst is inversely proportional to the time spent in Information Technology. So if an Analyst has no sys admin, dev, DBA, etc experience at all, then they are an infinitely great Analyst.
Ideally they MUST have CISSP but what is critical is that they must never have seen a command shell prompt on a Unix or Windows server. If they can understand DBA terms and construct SQL queries, they should not be encouraged to join a MSSP. Likewise with Cisco/Juniper/Checkpoint network infrastructure – experience in these areas runs counter to the business objectives of a MSSP. One does not need to know the significance of an IP address or even what it signifies – the software gives a red/amber/green indicator.
Hope that helps. There is this crazy idea that infosec has something to do with information in electronic format!!