Gartner Blog Network


MSSP: Integrate, NOT Outsource!

by Anton Chuvakin  |  November 5, 2014  |  4 Comments

Security outsourcing! While the concept makes many managers happy (“Phew… no need to do security anymore” — yeah, right!), I have noticed that some smart MSSP leaders avoid the “O word.” If we are to believe Wikipedia, “outsourcing” implies “contracting out of a business process to another party.” On the surface, it sounds like “security monitoring” and “security device management” are perfectly fine business processes.

However, where does your security monitoring process end? If you think that it ends with some alert being triggered, then you have indeed been outsourcing the entire process. On the other hand, if you consider what happens after that alert is produced by an MSSP security analyst to also be part of your monitoring, then you ultimately INTEGRATE the processes (yours and MSSPs) rather than OUTSOURCE yours to an MSSP.

My early research conversations with both MSSP customers and providers themselves reveal the theme: those who think “integrate, NOT outsource” usually get much more value out of the MSSP relationship. In a dramatic break from my personal “policy” of not linking to vendor content from my Gartner blog (motivated by my utter lack of desire to waste time fighting idiotic accusations of ‘vendor favoritism’), here is a great example of integrated security operations with an MSSP:

Are you maximizing the value from your managed security services provider (MSSP) relationship?

(source: IBM via this blog)

Vendor-produced or not, I can recognize awesomeness when I see it. Thanks to  @mikebsanders for an excellent resource.

Now, what does it all mean?

This means that for the MSSP to work well for you, process integration must be carefully planned. Here we talked about the alert response integration (and here about the SLAs), but the same applies to device management (integrate with your change management and reporting), incident response (integrate with your IR) and many other processes.

This also means that this focus on integration allows you to vary the degree of security ‘outsourcing’ or externalization. If your plan – monitor – triage – respond – refine chain is well planned, you can almost painlessly engage external resources (MSSP, consultants, etc) at whatever stage: need more help with cleaning the mess? Call that IR consultant. Want to shift some perimeter monitoring duties outside? Go get that MSSP. Want to bring specific application security monitoring tasks in-house? Do exactly that. Some process chunks will externalize well, some poorly [and some not at all], but at least you will have a predictable map of what goes where and who does what…

Blog posts related to this research on MSSP usage:

Category: monitoring  mssp  security  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on MSSP: Integrate, NOT Outsource!


  1. […] This was cross-posted from Gartner blog. […]

  2. […] ← MSSP: Integrate, NOT Outsource! […]

  3. […] Process synchronization: now for the fun part: your risk assessment (maybe) and incident response (likely) processes may now be “jointly run” with your MSSP, but have you clarified the touch points, dependencies and information handoffs? […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.