#HowTo: Demand More from MSSPs

Written by

When organizations turn to managed security service providers (MSSPs), they do it to improve cybersecurity. They recognize they don’t have the in-house skills, resources or technology to manage this mammoth task, so they pass it on to ‘apparent’ professional cyber fighters, where their data could never be safer.

Unfortunately, this is a common misconception many businesses fall into when outsourcing their cybersecurity. 

They believe that by partnering with an MSSP, their security will be managed correctly and efficiently with minimal business disruption.

But when the MSSP is on board, they are suddenly met with endless false positives, no accountability, the technology not integrating properly, and vulnerability to cyber-attacks increasing. They then realize that their illusions about MSSPs were misjudged. They had fallen into a false sense of security.

It’s time for businesses to question their MSSPs and start demanding more.

The Explosion in One-Size-Fits-All Outsourcing

It is estimated that over 83% of organizations outsource cybersecurity today. This rapid acceleration has turned the managed security services marketplace into one of the biggest in today’s cyberspace, with forecasts predicting it will reach $25.08bn in 2023. 

As more companies continue to outsource, MSSPs have been placed in a position where they set the rules, with businesses simply having to go along on their terms.

For instance, when it comes to the technology offered by MSSPs, organizations are frequently offered a one-size-fits-all package. The services and products are not tailored to a business – they are easy to deploy but difficult for customers to integrate into their systems, which leaves big holes in coverage.

These gaps in coverage leave businesses more vulnerable to cyber threats, yet, when breaches occur, MSSPs escape entirely unscathed.

If a vulnerability goes undetected, is exploited, and results in a system breach, MSSPs bear no responsibility. Solution specifications and service level agreements (SLAs) are expressly worded to ensure that the service provider bears zero accountability if their solution does not perform as expected or its performance is associated with a breach.

But considering organizations employ MSSPs for their expertise in protecting assets, accountability must be a key element of the package they offer. Otherwise, what is the point of outsourcing?

However, MSSPs are at just as much of a security risk as all businesses. While security is their business and key selling point, it doesn’t stop them from suffering breaches themselves. In fact, according to recent data, all the top MSSPs have suffered cyber-attacks in the last few years. Surely if these businesses were as good as they claim to be, no hacker could penetrate their networks. 

This is just one example of the realities of MSSPs that aren’t promoted to their customers and prospects. They talk the talk, but they don’t always walk the walk, and when it comes to facing the consequences, their contract clauses leave them completely untouchable. 

Furthermore, MSSPs often flood their customers with false positive alerts without offering assistance. A false positive is an alert without context. It doesn’t mean it’s a vulnerability. But it also doesn’t mean it’s not a vulnerability. It only means that it requires investigation to resolve it. And its organizations that need to investigate and resolve these – not the MSSP.

So, how can businesses demand more from their MSSPs?

It’s Time to Demand Accountability

It all comes down to asking the right questions before contracts are signed, security tools are deployed, and SLAs are agreed upon.

Before buying a managed service, businesses must ask the following 10 questions:

  1. Does your company use the service?
  2. Does your company also sell post-breach services? If so, does your company generate the majority of its revenue by selling its monitoring and preventative services or its post-breach services?
  3. Has your company been breached in the last five years?
  4. Does the service provide remote connectivity to any other third parties? If so, will you provide details to include your liability in the event of a breach associated with this connectivity?
  5. Will you train my staff to understand the product’s performance requirements to my satisfaction? If so, for how long?
  6. Are service components subject to routine vulnerability assessment scanning and security penetration testing? If so, will you provide evidence?
  7. Were service software components subject to secure development procedures and testing and are service components subject to regular security patching?
  8. Will you remediate any alerts you generate and provide active noise filtration and alert management to reduce false positives?
  9. What is your liability in the event that your service is determined to be the source of a breach of your systems?
  10. Will you provide 10 customer references?

As outsourcing becomes the most common way for organizations to manage their cybersecurity, businesses need to demand more from MSSPs.

This means asking the right questions, not being duped into signing ambiguous NDAs, and, above all, ensuring the security providers hold some accountability for when things go wrong.

What’s hot on Infosecurity Magazine?