Teja Myneedu

Thoughts on scaling information security, innovation, careers and management

19 Feb 2021

A Framework for Leveraging MSSPs Effectively

Terminology

  • MSSP: Managed Security Service Providers
  • MSP: Managed Service Providers

Incentives and Partnership

Most Security leaders hire MSSPs for one of the following reasons:

  • Augment the skills-asymmetry within the organization in the short to medium term
  • Address immediate need like post-breach incident response
  • Test and confirm the security maturity of the organization

Most MSSPs are on the lookout to expand their business prospects with the businesses that hire them once. The good ones make sure they truly provide value and don’t just yes to any engagement that they can get their hands on, regardless of their bench-strength.

Like any business partnership, some incentives are aligned for both parties, the security leaders and MSSPs, and some are not. The security leaders want to leverage the MSSPs for the exact needs of the organization, while they build eventually build more in-house capabilities that suit the needs of the organization better. The MSSPs are looking for more business while providing value. As a security leader, it is your job to ensure that the incentives are truly aligned. Being clear about your objectives for leveraging the MSSP, and building trust-relationships that are not solely based on giving out more business is key.

A Framework for Leveraging MSSPs Effectively

This is a framework for infosec leaders to leverage MSSPs effectively.

Way Before

Leveraging MSSPs is one part of your organization-building strategy. It should fit well into your overall assessment of the business risk, the current capabilities of your security function, and the gaps. Well before leveraging an MSSP,

  1. Identify the gaps in your security team’s capabilities within the business context
  2. Plan your org-structure and forward-looking hiring plans for at least one year
  3. Identify skills that are most critical to your hiring plan, and those are hardest to find

After completing #3, you know the critical areas you need to focus on, for hiring, and for leveraging MSSPs. Be realistic about your ability to hire and, start talking to your friends in infosec about vendors that provide services you are interested in. If possible get a couple of them through the vendor onboarding process way before you engage them.

Tip: If there are areas that require multiple recurring engagements from vendors, eg. a quarterly pentest, consider creating a calendar of engagements and have one of your team members manage this.

Before

Once you have zeroed in on areas that you would like to leverage an MSSP for, think about:

  • What is your objective for the engagement?
  • What is the scope of the engagement? What are the valuable capabilities and skills needed for the engagement?
  • How long are you looking to engage the MSSP? Are you looking to re-engage them in the future?

Once you have answers to the above, prepare for the engagement:

  • Complete the logistics like vendor evaluation, selection, onboarding, and VPN setup
  • Create a summary document that acts as the central reference document that contains this info:
    • Who are the points for contact?
    • What is the preferred method of communication?
    • How are the
    • Summary of the Business context
    • Pointers to user stories, product requirement documents, architecture diagrams, and technical artifacts
  • Setup pre-engagement meetings to confirm that the vendor has everything they need

Tip: Don’t underestimate the effort to wrangle everyone and everything to cover an engagement. If possible have a security engineer or analyst coordinate and support the engagement.

During

  • Stay engaged, check-in frequently, unblock where required, and provide continuous feedback
  • If things don’t go as planned, be prepared with a contingency plan and execute it as required

After

Evaluate the outcome of the engagement:

  • Have the objectives been achieved?
  • Was there sufficient coverage for the scope? Are there ways to improve future engagements?
  • What are immediate action items? What are medium-term action items? Have these been documented and routed to the right stakeholders to address?
  • What organizational strengths and weaknesses were uncovered by the engagement?

Evaluate the MSSP and provide feedback about:

  • Pre and post-engagement support
  • Quality of output
  • Communication
  • the value obtained from the engagement, and likeliness to hire in the future

Way After

‘Way After’ is the same as ‘Way Before’: Reassess your organization’s security capabilities and gaps based on the information you obtained from the MSSP engagements.

  • Did the MSSP engagement uncover new gaps in your capabilities? How has your organization changed in the past year?
  • How effective is your GRC function in tracking and driving down risk?
  • Did you create internal capabilities that eliminate the need for leveraging MSSPs in certain areas?
  • How has your hiring plan changed?
  • Do you need to engage new vendors or terminate relationships with existing vendors?

Conclusion

Leveraging MSSP and MSPs is an extension of your organizational design strategy. To get maximum value from MSPs, have a strategy to get value way before the commencement of the engagement and measure value way after completion. For maximum effectiveness, don’t treat MSP engagements as simple outsourcing engagements, and don’t underestimate the project management required.