Deciding on Service Levels and Scope

Finding the right MSSP depends a lot on understanding your own capabilities and which aspects of your security program you are either unable to do well yourself or which makes the most sense to outsource in the context of your overall operation. These same factors are key to defining the level of service you need from your security service provider.

The service level you agree to goes back to knowing what you expect to gain by engaging with a service provider in the first place. It’s important to align the MSSP services with your own security goals and strategy. Some things in your practice will not change. What’s changing is who is doing them. When making these judgements, you must have a clear understanding of your current security processes. This includes the technologies you are using, how you handle routine tasks like investigating alerts and incident response. Without that knowledge, you will not be able to clearly assign responsibilities in the MSSP relationship.

Although a good security partner will work closely with you to define the right level of service for your situation, you need to recognize they are in the business of selling you services. Before engaging with an MSSP, it’s important to do a thorough security assessment. This may be something you’ve neglected, or it may be something you’ve done recently. There’s no magic number as to how often you should perform a security assessment, but most security experts recommend doing it regularly and methodically.

To find out more about how security professionals manage their assessments in practice, Mighty Guides sent the following survey question to about 3,000 professionals:

How often do you perform a comprehensive assessment of your security posture?

1. Quarterly
2. Every 6 months
3. Annually
4. Every 2 years
5. Whenever you make a major change

Additionally, we wanted to know what types of tasks and functions they most often outsource.

To find out more, they asked the following question:

Which security functions does it make most business sense to outsource?

1. 24/7 threat response
2. Routine tasks such as account management, access management, and patch management
3. Alert management, triage, and threat investigation
4. Threat hunting
5. SOC and SIEM management
6. Security automation

Most IT pros outsource functions that require a commitment to expensive technology and specialized skills. They tend to retain easier things along with some tasks that are the most critical to the business, such as threat investigation. But that doesn’t make this approach best for everyone. You need to start with a baseline security assessment, and then carefully weigh the tradeoffs of outsourcing different aspects of your practice.