I’m a digital transformation, product, technology, and data/AI leader, but I don’t count information security as a top area of expertise. Over the years, I’ve learned a lot about putting the sec into DevSecOps, how security platforms use AI to improve incident management, and why educating employees is the frontline of defending the business. But when it comes to prioritizing security risks, developing a roadmap, and overseeing security operations, I call in experts who can advise on strategy and lead implementations.

My steps generally involve seeking a Managed Security Services Provider (MSSP) and sometimes a virtual CISO (vCISO). Because I’m not the expert in the room, I ask questions to help StarCIO clients understand risks and make better decisions when procuring security services.

What to ask an MSSP?

My questions are deceptively basic: I want clients to understand the services and develop relationships with potential partners. However, I expect the MSSPs to go deep into their specific capabilities, avoid using confusing jargon, and explain their methodologies.

Below are five starting questions I ask MSSPs about their security services and capabilities.

1. What are they protecting, and what are some examples of successful remediations?

The industry is filled with jargon such as EDRs (endpoint detection and response), MDRs (managed detection and response), and XDRs (extended detection and response) without standard definitions around capabilities or service levels. Other times, MSSPs provide services around different SIEM (Security Information and Event Management) or other platforms – which the IT team understands, but their business sponsors have no idea what these technologies do and how the IT team uses them.

Here’s what I seek: Can the MSSP explain what problems they solve? Can they share examples that illustrate the risks, benefits of their approaches, and proven results? Can they provide substantial answers without confusing their prospective buyers?

2. What steps must IT and the business take to deploy your solution?

MSSPs and vCISOs can overly simplify the presentation/pitch, giving clients the misconception that added security comes with a contract. Many vCISOs recommend upfront assessments, while MSSPs generally have discovery and implementation phases before enabling their security services.

Clients need to hear that they can’t have their cake and eat it too. IT is almost always involved in upfront implementations, which means other project timelines will likely be impacted.

Also, business teams will likely be involved in implementations or operational changes, so sponsors must understand the required change management steps.

Here’s what I seek: A templated playbook. When MSSPs know the typical steps and can outline who’s doing what and when, it illustrates their proficiencies and aligns expectations. I’m also evaluating to what extent the MSSP provides security training, tabletop exercises, and other executive/employee engagement services.

3. What are they not protecting, and what other solutions may be needed to address these risks?

Will your MSSP oversee vulnerability management? Probably. Will they have best practices to audit and improve identity management? Often, but that depends on the compliance requirements and IT environment complexities. Does the MSSP have comprehensive data security and data retention practices? Less likely.

The goal here is to educate clients who, again, believe a security contract begins and ends their security responsibilities and investments. In addition, while some MSSPs have in-house expertise across broad security disciplines and platforms, many others subcontract some work or have partners, which may be fine with the client so long as the MSSP is transparent about their business operations.

Here’s what I seek: Simple answers. Transparency. The ability to advise, prioritize, and present potential partners/solutions on services outside their scope. I cringe when MSSPs appear to be selling services outside of their core practices or defining vaporware capabilities to close a deal.

4. What role does the MSSP play in incident management?

I’ve seen some security professionals aim to treat every alert, vulnerability, or minor security issue as an all-hands-on-deck major incident. So, first, I’m looking to see how the MSSP separates material and major security incidents from secondary alerts. There should be a process, guided by the MSSP, to define incident and vulnerability priorities, and the MSSP should demonstrate its tools for capturing, categorizing, and managing incidents and vulnerabilities.

I’m also looking for their case studies on what types of incidents they’ve managed for their clients, such as ransomware, insider threats, state-sponsored threats, and other major incidents.

Here’s what I seek: Expertise, process, tools, communication practices, and partners.

• Expertise and process: I expect MSSPs to know what forensics to capture, automations to restore basic services, and expertise to find root causes.
• Tools: Their security operations (SOC) tools should integrate into my client’s ITSM (IT Service Management) tools and not create siloed workflows.
• Communications: I’m looking for MSSPs with a detailed communication playbook that clients can optimize for their operations.
• Partners: I want to see they have connections with experts, law enforcement, and vendors to assist when required.

5. When the MSSP finds a material vulnerability, how is it remediated?

Finding, categorizing, and prioritizing vulnerabilities is table stakes, but that may be where many MSSPs’ services begin and end. Most businesses expect their MSSPs to recommend and oversee remediations, including automations to patch systems. These services should have their costs, scope of services, and target service levels specified.

Here’s what I seek: Managing vulnerabilities is a wide-scope problem depending on the number of systems, age of infrastructure/platforms, network complexities, compliance factors, and business risks. This question helps flush the scope of work, internal responsibilities, and costs in responding to vulnerabilities and patching systems.

–

Bottom line: Would you walk into a dangerous forest ill-prepared without the right equipment and knowledge? Or would you rather have an expert team of guides with procedures, tools, and partners for best practices and protection? And the forest is always changing.

Reach out to me if you need help finding an MSSP.