I’m a digital transformation, product, technology, and data/AI leader, but I don’t count information security as a top area of expertise. Over the years, I’ve learned a lot about putting the sec into DevSecOps, how security platforms use AI to improve incident management, and why educating employees is the frontline of defending the business. But when it comes to prioritizing security risks, developing a roadmap, and overseeing security operations, I call in experts who can advise on strategy and lead implementations.
My steps generally involve seeking a Managed Security Services Provider (MSSP) and sometimes a virtual CISO (vCISO). Because I’m not the expert in the room, I ask questions to help StarCIO clients understand risks and make better decisions when procuring security services.
What to ask an MSSP?
My questions are deceptively basic: I want clients to understand the
services and develop relationships with potential partners. However, I
expect the MSSPs to go deep into their specific capabilities, avoid using
confusing jargon, and explain their methodologies.
Below are five starting questions I ask MSSPs about their security services
and capabilities.
1. What are they protecting, and what are some examples of successful remediations?
The industry is filled with jargon such as EDRs (endpoint detection and
response), MDRs (managed detection and response), and XDRs (extended
detection and response) without standard definitions around capabilities or
service levels. Other times, MSSPs provide services around different SIEM
(Security Information and Event Management) or other platforms – which the
IT team understands, but their business sponsors have no idea what these
technologies do and how the IT team uses them.
Here’s what I seek: Can the MSSP explain what problems they solve?
Can they share examples that illustrate the risks, benefits of their
approaches, and proven results? Can they provide substantial answers without
confusing their prospective buyers?
2. What steps must IT and the business take to deploy your solution?
MSSPs and vCISOs can overly simplify the presentation/pitch, giving clients
the misconception that added security comes with a contract. Many vCISOs
recommend upfront assessments, while MSSPs generally have discovery and
implementation phases before enabling their security services.
Clients need to hear that they can’t have their cake and eat it too. IT is
almost always involved in upfront implementations, which means other project
timelines will likely be impacted.
Also, business teams will likely be involved in implementations or
operational changes, so sponsors must understand the required
change management steps.
Here’s what I seek: A templated playbook. When MSSPs know the typical
steps and can outline who’s doing what and when, it illustrates their
proficiencies and aligns expectations. I’m also evaluating to what extent
the MSSP provides security training, tabletop exercises, and other
executive/employee engagement services.
3. What are they not protecting, and what other solutions may be needed to address these risks?
Will your MSSP oversee vulnerability management? Probably. Will they have
best practices to audit and improve identity management? Often, but that
depends on the compliance requirements and IT environment complexities. Does
the MSSP have comprehensive data security and data retention practices? Less
likely.
The goal here is to educate clients who, again, believe a security contract
begins and ends their security responsibilities and investments. In
addition, while some MSSPs have in-house expertise across broad security
disciplines and platforms, many others subcontract some work or have
partners, which may be fine with the client so long as the MSSP is
transparent about their business operations.
Here’s what I seek: Simple answers. Transparency. The ability to
advise, prioritize, and present potential partners/solutions on services
outside their scope. I cringe when MSSPs appear to be selling services
outside of their core practices or defining vaporware capabilities to close
a deal.
4. What role does the MSSP play in incident management?
I’ve seen some security professionals aim to treat every alert,
vulnerability, or minor security issue as an all-hands-on-deck major
incident. So, first, I’m looking to see how the MSSP separates material and
major security incidents from secondary alerts. There should be a process,
guided by the MSSP, to define incident and vulnerability priorities, and the
MSSP should demonstrate its tools for capturing, categorizing, and managing
incidents and vulnerabilities.
I’m also looking for their case studies on what types of incidents they’ve
managed for their clients, such as ransomware, insider threats,
state-sponsored threats, and other major incidents.
Here’s what I seek: Expertise, process, tools, communication
practices, and partners.
- Expertise and process: I expect MSSPs to know what forensics to capture, automations to restore basic services, and expertise to find root causes.
- Tools: Their security operations (SOC) tools should integrate into my client’s ITSM (IT Service Management) tools and not create siloed workflows.
- Communications: I’m looking for MSSPs with a detailed communication playbook that clients can optimize for their operations.
- Partners: I want to see they have connections with experts, law enforcement, and vendors to assist when required.
5. When the MSSP finds a material vulnerability, how is it remediated?
Finding, categorizing, and prioritizing vulnerabilities is table stakes, but
that may be where many MSSPs’ services begin and end. Most businesses expect
their MSSPs to recommend and oversee remediations, including automations to
patch systems. These services should have their costs, scope of services,
and target service levels specified.
Here’s what I seek: Managing vulnerabilities is a wide-scope problem
depending on the number of systems, age of infrastructure/platforms, network
complexities, compliance factors, and business risks. This question helps
flush the scope of work, internal responsibilities, and costs in responding
to vulnerabilities and patching systems.
-
Bottom line: Would you walk into a dangerous forest ill-prepared without the
right equipment and knowledge? Or would you rather have an expert team of
guides with procedures, tools, and partners for best practices and
protection? And the forest is always changing.
Reach out to me
if you need help finding an MSSP.
Join us for a future session of Coffee with Digital Trailblazers, where we discuss topics for aspiring transformation leaders. If you enjoy my thought leadership, please sign up for the Driving Digital Newsletter and read all about my transformation stories in Digital Trailblazer.
Digital Trailblazers! Join us Fridays at 11am ET for a live audio discussion on digital transformation topics: innovation, product management, agile, DevOps, data governance, and more!
No comments:
Post a Comment
Comments on this blog are moderated and we do not accept comments that have links to other websites.