Digital transformation has been around for a while, but last year it accelerated its pace significantly. As organizations suddenly shifted to an almost exclusively digital world, the need to protect digital assets grew even more. One way to tackle these new threats was adopting a managed cybersecurity solution to provide 24/7/365 monitoring, protect applications and network infrastructures, perform incident response, and so on.
To select a suitable managed cybersecurity solution for your business, you need to think about a variety of factors. We’ve talked to several industry professionals to get their insight on the topic.
Tim Bandos, CISO and VP of Managed Security Services, Digital Guardian
First, you need to understand your organizational needs. Is it to augment security team coverage, or to solve a specific security challenge, like endpoint detection and response (EDR)? You may also need to consider the security solutions that are must-haves in today’s advanced threat environment.
Your choice should focus on services that address your existing security gaps, then deciding the best provider to deliver them – not the other way around. According to Forrester Research, categorizing services as either basic or advanced can offer a better understanding of vendors’ specific managed service competencies.
- Basic: Capabilities include the set of traditional managed and monitored services. These are the legacy MSSP vendors with services such as managed next-generation firewall, intrusion detection/prevention systems, and log aggregation and analysis.
- Advanced: Capabilities require more specialized skills to deliver value. These skills include new and innovative services, such as behavioral analysis, threat hunting, as well as DLP, which can be challenging for organizations to effectively implement and manage due to the technology, expertise, and budget required.
Once you determine the capabilities needed to fill your gaps, categorize managed cybersecurity providers according to their competencies. From there, narrow further based on other factors such as price and provider reputation to help you select the right solution for your organization.
Matt DeMatteo, Technical Evangelist, Secureworks
It is critical to start with a thoughtful review of your organization’s inherent risk. Factors like your industry, revenue, vendors, customers, and technology stack affect your threat landscape.
There are many managed cybersecurity solutions in the market, but no one is one-size-fits-all. Each offering will deliver different outcomes and have things it is not responsible for. Understanding your inherent risk will help you prioritize what you need.
Next, you should identify what level of operational involvement you are comfortable with for your security team and your company. Most organizations are comfortable with a partner handling level 1 alert triage and investigations on a 24×7 basis. For other disciplines like incident response, vulnerability management, or security architecture, organizations may want to maintain more control and partnering with a vendor that offers outcome-based services can lead to frustration if a more customized delivery is expected.
Lastly, look for companies that have in-house resources to stay up-to-date on cyber attackers. For example, a company with incident response or threat intelligence services will be more educated about the threat landscape than vendors who do not. Many vendors will have a long and competent IT operations story, but that is not the critical ingredient for success. Experience and on-going investment to stay ahead of attackers is needed so that your organization’s security posture can do the same.
Jesse Emerson, VP, Americas Managed Security Services, Trustwave
While having a vendor that is willing to adapt to all dimensions of your requirements can seem like it’s a good thing, be cautious. Vendors who are eager to say “yes” often end up being fragmented in their operations and cannot develop best practices and benefit from repeatable processes and continuous improvement. Definitely know the outcomes you need from the partnership, but be open to letting the vendor satisfy those with their established offerings. If their offerings don’t fit, then they’re not the right vendor.
Another key thing to look for is transparency. A vendor that needs to say, “just trust us, we’re doing a good job” rather than giving you visibility into the work they are doing for you can put a wrinkle into the fabric of trust that you need to have with your vendors.
Considering the vast number of cybersecurity vendors on the market today and the number of those that are in startup phases, it’s important to pick established and credible vendors for core portions of your program. You may be able to risk a cutting-edge vendor for peripheral or hyper-advanced areas, such as deception or threat intel, but choose a company that has industry credibility and staying-power for components such as MDR and SOC.
Scott Kaine, VP, Cybersecurity Services, Motorola Solutions
With cybercrime costing individuals and businesses $4.2 billion in 2020, businesses should not be without cybersecurity services. But, selecting the right MSSP requires research and thought. Key questions to ask when selecting an MSSP include:
Do they understand your environment? If a provider doesn’t ask enough questions about what’s in place, how it’s used and which users need what level of access, you should probably find another.
What’s their level of expertise in cloud security? If your company is moving to the cloud or already in it, your provider should offer a cloud-native solution that fully integrates with data from your network, endpoints and SIEM to detect threats and misconfigurations quickly and remediate any issues.
What does their support involve? Considering what’s at stake — your company’s data — you need a provider that responds promptly to your calls, especially if you believe an attack or breach is underway.
What is the value vs. cost of the service? When contracting an MSSP, you’ll want to know upfront how much the provider charges and exactly what you are paying for. While you want the best possible rates, avoid basing decisions strictly on cost. Keep in mind the value of the security services, and how much it can cost to recover from a security incident.
Wesley Mullins, CISO, deepwatch
Regardless if it’s an emerging or existing security program, my advice always comes down to the same bottom line: you have to make sure you are getting the most for your investment. If a bad choice is made, an in-house team may end up flooded with too many alerts or miss important data sources that should be monitored.
Determine what you need first, then search for solutions knowing that your due diligence will be required to ensure you get the most bang for your buck. Ask your peers what they are doing. Call your existing technology partners to assess how an MSSP works with your existing stack. Your requirements are what matter most. If a security provider says they can’t support your workflow, then you need to keep looking.
A good solution will take into account your business objectives, your existing team, processes, technology stack and budget – along with a commitment to help mature the security program over time. Look for a vendor that can be a true partner and extension of your team. Ideally, I recommend that the solution includes daily communication with dedicated security personnel who are available 24/7/365 and know the customer’s environment inside and out. An RFP process can help identify the right solutions from the herd of options out there.
David Rickard, CTO North America, Cipher
Improvement of cybersecurity capability is front-of-mind for business executives – and it should be. How do you go about comparing the MSSPs that can improve your overall posture?
Does the MSSP understand my business? Many MSSPs will offer 24×7 monitoring, but do they really understand your business? Choose an MSSP that really understands your business needs.
Does the MSSP offer solutions that cover the NIST Framework? NIST categorizes cybersecurity operations into 5 control areas: identify, protect, detect, respond and recover. Does the MSSP’s solution cover all of those?
Does the MSSP offer a good value-to-cost ratio? You want to be able to get real, measurable value from your MSSP. Choose an MSSP that offers a solution that covers every NIST control area with one fixed price.
Does the MSSP have solid financial footing? You want to choose an MSSP that not only has decades of experience, but also one that you’re confident will be there for you when you need them most!
How well can the MSSP integrate with other security concerns? You may have an environment that includes physical controls. A truly complete MSSP will be able to integrate those with their cyber solution.
Trish Tobin, VP, Portfolio and GTM Strategy, Cyber Defense and Applied Security, Optiv
The most important thing is to select a partner that can fit your specific current and future security needs. Here are four things to look for:
Expertise: Do they have a strong bench of security experts? You want a company that has years of experience supporting customers in meeting their cybersecurity goals, and has experts in place across multiple areas of IT security.
Range of services: Threat actors are constantly evolving and you want to make sure the vendor can deliver a range of services to keep pace – including new, innovative solutions to keep your data safe as the landscape changes. This includes solutions for all aspects of threat detection, remediation, behavior monitoring and more.
Strategic capabilities: Along with providing the infrastructure, can they also provide strategic insights to continually drive the security program forward? This means staying on top of emerging trends, new approaches, best practices, etc.
Track record: Do they have a proven track record with companies that look like yours in terms of size, market vertical, etc.? They should also have case studies and references who can verify they’re a good fit for your company.