Blog post

Your Security Operations Maturity – and Your MSSP

By Anton Chuvakin | October 17, 2017 | 3 Comments


Contrary to what some people think, using MSSP is not just for losers low-maturity organizations and SMBs.

For sure, we do see a lot of MSSP usage by clients who “need some monitoring for compliance” or “have no team and no process, and want ‘security outsourced’” (the latter seems like a good indication for MSSP use, but in reality smells like MSSP FAIL in the making).

Still, with emergence of top-tier MDR providers who possess real experience dealing with advanced threats, we observed that tactical [=aimed at a very specific capability gap in client secops] MSSP / MDR use at higher maturity organizations is growing as well [here and everywhere on this blog, this refers to the maturity of security operations]

However, it is very clear that these are not the same MSSPs!


So, we now face a problem of matching MSSP/MDR providers to clients’ maturity. We hear from clients where their procurement people literally push them to a low-price MSSP even though they have a clear set of business requirements for an elite MDR.

In essence, MSSPs are NOT all the same, even if they say the same things in their glossies. “MSSPs baffle their buyers with complex or vague service descriptions,” as we say in a recent paper. Picking the one that fits your needs best is harder than most realize….

Care to share your MSSP or MDR horror stories (aka “learnings”) or perhaps your EPIC WIN stories?

Related blog posts from our MSSP research:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Andre Gironda says:

    Every business has a set of current and future value maps. The focus should be on outcomes and structure, not maturity.

    If an org doesn’t know what it is or what it wants to be yet, then fix the structure first. Once it has a charter that aligns to the current-running standards, then it can move forward with MSSP/MDP decisions.

    I like to use MDPs to fill gaps in existing programs, to build a natural progression of MDR services. For example, I have recommended that an SMB get a DNS firewall from an MDR in order to solve a specific set of risks. The great part about DNS firewall for them is that it solved at least two current-running problems at the same time, as well as gave the org more time to solve other problems.

    When I think of MSSP, I either think of security monitoring that rarely ever works or I think of dumb-process fills such as managed firewall. Are there offerings in the MSSP space (besides MDR) that are worthwhile to explore?

    An MDR will typically either agent you up or configure you out. By agent you up, I mean that they cover your infrastructure in continuously-sensoring agents that send instrumentation data to their cloud. By configure you out, I mean that they get into your IT/Ops service infrastructure (e.g., AD, DNS, Azure App Proxy, Azure MFA) and build it out in/with their cloud.

    • Hey Andre — this is yet another discussion (re: outcome vs maturity) we need to have over beers 🙂 I ….sort of… share the sentiment that “it is better to focus on outcomes than maturity”…in theory. But if judging results [say from tool or service] requires using it for a year, I’d use maturity as [imperfect] proxy for results. You can ask “will I get results?” and the vendor will lie…aka…exaggerate…

    • Furthermore, you may have a list of desired results spelled out VERY clearly (rare but it happens)…but then what?

      Your point re: MDR vs MSSP is well taken. Many/most MSSPs do focus on dumb process basics indeed while some/many MDRs focus on effective [hopefully] threat detection. Will MSSPs get there? Likely many will, and some did [perhaps], but for now this is accurate IMHO.