Gartner Blog Network


Your Security Operations Maturity – and Your MSSP

by Anton Chuvakin  |  October 17, 2017  |  3 Comments

Contrary to what some people think, using MSSP is not just for losers low-maturity organizations and SMBs.

For sure, we do see a lot of MSSP usage by clients who “need some monitoring for compliance” or “have no team and no process, and want ‘security outsourced’” (the latter seems like a good indication for MSSP use, but in reality smells like MSSP FAIL in the making).

Still, with emergence of top-tier MDR providers who possess real experience dealing with advanced threats, we observed that tactical [=aimed at a very specific capability gap in client secops] MSSP / MDR use at higher maturity organizations is growing as well [here and everywhere on this blog, this refers to the maturity of security operations]

However, it is very clear that these are not the same MSSPs!

not-mssps

So, we now face a problem of matching MSSP/MDR providers to clients’ maturity. We hear from clients where their procurement people literally push them to a low-price MSSP even though they have a clear set of business requirements for an elite MDR.

In essence, MSSPs are NOT all the same, even if they say the same things in their glossies. “MSSPs baffle their buyers with complex or vague service descriptions,” as we say in a recent paper. Picking the one that fits your needs best is harder than most realize….

Care to share your MSSP or MDR horror stories (aka “learnings”) or perhaps your EPIC WIN stories?

Related blog posts from our MSSP research:

Category: monitoring  mssp  security  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Your Security Operations Maturity – and Your MSSP


  1. Andre Gironda says:

    Every business has a set of current and future value maps. The focus should be on outcomes and structure, not maturity.

    If an org doesn’t know what it is or what it wants to be yet, then fix the structure first. Once it has a charter that aligns to the current-running standards, then it can move forward with MSSP/MDP decisions.

    I like to use MDPs to fill gaps in existing programs, to build a natural progression of MDR services. For example, I have recommended that an SMB get a DNS firewall from an MDR in order to solve a specific set of risks. The great part about DNS firewall for them is that it solved at least two current-running problems at the same time, as well as gave the org more time to solve other problems.

    When I think of MSSP, I either think of security monitoring that rarely ever works or I think of dumb-process fills such as managed firewall. Are there offerings in the MSSP space (besides MDR) that are worthwhile to explore?

    An MDR will typically either agent you up or configure you out. By agent you up, I mean that they cover your infrastructure in continuously-sensoring agents that send instrumentation data to their cloud. By configure you out, I mean that they get into your IT/Ops service infrastructure (e.g., AD, DNS, Azure App Proxy, Azure MFA) and build it out in/with their cloud.

    • Hey Andre — this is yet another discussion (re: outcome vs maturity) we need to have over beers :-) I ….sort of… share the sentiment that “it is better to focus on outcomes than maturity”…in theory. But if judging results [say from tool or service] requires using it for a year, I’d use maturity as [imperfect] proxy for results. You can ask “will I get results?” and the vendor will lie…aka…exaggerate…

    • Furthermore, you may have a list of desired results spelled out VERY clearly (rare but it happens)…but then what?

      Your point re: MDR vs MSSP is well taken. Many/most MSSPs do focus on dumb process basics indeed while some/many MDRs focus on effective [hopefully] threat detection. Will MSSPs get there? Likely many will, and some did [perhaps], but for now this is accurate IMHO.



Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.