Outsourcing or insourcing decisions can be complex, but Managed Security Service Providers (MSSPs) offer a viable solution for various security organizational needs. The recent Fortify Experts CISO Forum explored the decision-making process and the importance of effectively evaluating and working with MSSPs.  Key topics covered in the Forum included defining expectations through MSSP evaluations, contracts, Service Level Agreements (SLAs), monitoring MSSP performance. and maintaining communication. The security leaders attending uniformly agreed that when engaging with MSSPs, aligning expectations with executive requirements and industry standards is vital.  To ensure an effective partnership, organizations should consider this a strategic partnership.    Here are some CISO Recommended Tips on how you can improve your success with an MSSP. A.  Start by defining your requirements:
  1. Define what regulatory requirements and controls your firm has to comply with.
  2. Then, evaluate specific business metrics which need to be met to satisfy the executive team.
  3. Define the scope of what should be outsourced and what could be outsourced.
B.  Investigate who the reputable vendors are in your industry:
  1. Ask similar counterparts if they have had good or bad experiences with a vendor. 
  2. It was discussed to stay away from the smaller startups under 25 people unless there was a very specific reason (i.e. specialty) to consider them.
  3. Look for an MSSP with a specialization in your industry. Their expertise within the industry could provide you with a more refined approach to your specific needs. 
C.  Evaluate vendors:
  1. How well do they align with your business requirements?
  2. Does their pricing model appropriately reflect their level of service offerings?
  3. Do they have a reputation for meeting expectations?
D.  Contracting with the Vendor
  1. Carefully considering SLAs and contract details can maximize the benefits of MSSP engagements.
  2. Define appropriate staffing levels and who will be working on the engagement, Make sure there is a notification provision if staffing changes.
  3. Define incident response times and SLA reporting requirements in the agreement, plus incentives and disincentives to enhance accountability.
E.  Monitoring Performance:
  1. The client-MSSP relationship hinges on a common understanding facilitated by SLAs. 
  2. Collaboratively create a comprehensive dashboard and reporting system to cover all critical metrics, which can be shared regularly with executives and the board to keep them informed.
  3. Consider appointing a dedicated MSSP contact (i.e. CISO, virtual CISO, etc) to oversee the MSSP to ensure compliance and performance.
F.  On-going Communication:
  1. Communication is vital in demonstrating the value of MSSPs. 
  2. Creating transparency around reporting on incidents, threat landscapes, and ongoing projects is critical.
  3. Focus on continuous improvement that is adaptable to the evolving threat landscapes. 
  4. Continue to evaluate performance, refine agreements, and align MSSP services with organizational goals to create long-term success.
By following these insights and best practices, organizations can navigate the MSSP landscape confidently, ensuring successful engagements that meet their unique requirements while maximizing the value they receive from their MSSP. In Summary: Thanks to the input of the security leaders who joined our CISO Forum which provided such insightful advice on how to improve your security program. If you are a security leader and would like to participate in our monthly CISO Forums where we discuss valuable and actionable information as well as best practices and challenges, please register here.   About Tim Howard Tim Howard is the founder of 4 technology firms including Fortify Experts which helps companies hire the Best Cyber Talent on the Planet as well as provides expert consulting and NIST-based security assessments In addition, he has a passion for helping CISOs develop Higher Performing Teams through staffing, coaching, CISO Forums, and improving their team culture. With each new hire, his firm produces an Employee Operating Manual to help clients understand how to motivate and maximize productivity while meeting the needs of each employee.