We rely on connectivity for nearly all aspects of business which puts companies at risk…
How to assess & build a trust relationship with a Managed Security Service Provider (MSSP)
I’m a big fan of the book “The Speed of Trust” by Stephen Covey. You can get it on Amazon here. The principles of the book apply to all facets of life professional and personal, and the main takeaway for me was that trust is earned rather than given.
So can you trust an MSSP with your data?
When it comes to trusting your MSSP, it’s quite a big deal. You are basically inviting a third party to get under your kimono. For a threat monitoring service to be effective, the service provider needs to have access to all network traffic and to have the ability to perform deep packet analysis in many cases to determine if there is a real evolving threat or not. That begs the question: what can your service provider see or not see?
In most cases, MSSPs restrict the data that they look at to the security and system logs. This level of access is quite enough for them to do their job, but nevertheless, once you have a monitoring device on your network, that device can have access to any type of data available on the network.
When I get asked about this, my answer is simple: MSSPs sell trust.
If we compromise on our integrity then we will have no more business. For that, we do have in place very strict rules and controls to make sure that we are not seeing anything that we shouldn’t be seeing and that our customers’ data is never compromised.
As you are engaging with a new service provider, here are the four steps that I suggest you follow to build your trust relationship with your provider and to allow you to sleep at night knowing that you have made the right choice:
1. Start gradually
- You don’t have to go from 0 to 60 in 4 seconds; this is not a sprint it’s a marathon. Rather than the usual PoC, which in my opinion is not a good measure of the performance of a provider due to its limited scope and usually short duration, start with limited engagement to build the initial trust with your provider.
- This can be a one-time professional service project such as a cybersecurity posture assessment, an IT threat and risk assessment, a vulnerability assessment or a penetration test.
- You can also start with a limited-scope threat monitoring service, limited to a specific segment of the network rather than your whole infrastructure. This approach allows you to get familiar with your provider’s tools and processes and to help you get ready to expand that service to the rest of your infrastructure in a more seamless manner.
2. Audit your provider
I encourage all our customers to come and audit us, and this should be part of your plan as you engage with a new service provider. Auditing your service providers’ controls will allow you to make sure that they are using as good or better controls that you have yourself. If your controls are stricter than your service providers’ then it’s not a good match!
Here is a quick checklist for you to go through as you’re auditing your provider:
- SOC operations and procedures
- Security clearance credentials of SOC staff that have access to your data
- Data access controls
- Physical access controls and procedures
- Redundancy and business continuity plans
3. Have a common incident response plan
Regardless of the quality of your managed security service provider, it’s always best to align your incident response plans with those of your service provider. This can be developed jointly with your provider or you can develop your own to complement the service that your provider is delivering to you. Sharing your plan with your provider also allows that provider to better understand your internal processes and ultimately serve you better.
4. Get a second opinion
Regardless of how much you trust your provider, it’s always healthy to have a neutral third party review your security operations and access how you and your managed security service provider are performing.
In today’s dynamic IT infrastructure it’s a good practice to have a third party access your security operations from time to time. New applications, infrastructure upgrades, or simply your BYOD policy will create new blind spots. This can be in the form of a full IT security architecture review or a simple vulnerability assessment to see if the results align with those of your primary provider and check if there are any gaps in your coverage.
IT security operations management is a balancing act between risk and reward; in many cases outsourcing can be the answer to simplifying your IT risk management and getting it under control in a timely and cost-effective manner. Just remember to follow a methodical approach to integrating an MSSP into your operations and managing your provider the same way you manage your own team.
After all, they should be an extension of your IT security team and you should manage them exactly as such.