Gartner Blog Network


Our Updated MSSP and MDR Guidance Publishes

by Anton Chuvakin  |  January 30, 2018  |  2 Comments

While Augusto may disagree, this is probably one of our top 3 favorite papers we’ve written, and it has been UPDATED. Hello world! Please welcome “How to Work With an MSSP to Improve Security”, 2018 update (Gartner GTP access required). Apart from content updates and new MDR coverage, it now features a juicy new guidance framework! And an additional co-author too.

The abstract states: “Managed security services are an increasingly popular way to improve information security, yet many engagements struggle to succeed. This guidance helps technical professionals shape the MSSP [A.C. – now also MDR! OMG… this is 2018 for realz! :-)] relationship, refine their expectations and co-develop successful security architectures.”

Some of my fave quotes follow below:

  • “Using a managed security service provider (MSSP) is not the same as shifting responsibility for your security to somebody else. It involves integrating with an external security monitoring and system management paradigm, often using the provider’s standardized processes.”
  • “Organizations that have not retained sufficient internal IR and remediation capabilities cannot benefit fully from either MSSP security monitoring or an MDR-level version. […] You need to adjust your processes to respond to alerts from an external source and provide feedback on their relevance.”
  • “Align your onboarding expectations to the complexity of the service, and make ongoing, bidirectional knowledge transfer a key part of the engagement. MSSPs can only work with the information you give them.
  • “In almost all cases, the organization will need to define and allocate some program management resources to keep the MSSP on task and evaluate its ongoing effectiveness. These reviews are necessary to keep the engagement fresh and maintain its value.”
  • Failure to detect does not necessarily equal incompetence. For example, a failed detection is only an MSSP failure if the MSSP was given access to the necessary log data. If the MSSP didn’t have such access, the real question is, “Why not?” Did the MSSP not ask for it, did the client not provide it, were there technical issues […], or was the area out of scope for the contract?”
  • “Sadly, some relationships come to an end, and your relationship with an MSSP may need to be one of these.” [A.C. – yes, this is an actual quote :-)]

Finally, PLEASE go and provide feedback after you read the paper at http://surveys.gartner.com/s/gtppaperfeedback

Related posts:

Category: announcement  monitoring  mssp  security  

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Our Updated MSSP and MDR Guidance Publishes


  1. […] Anton just posted, the new version of the famous “How to Work With an MSSP to Improve Security” has just […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.