"Another key problem with the outsourcing industry is that most companies don't know what to ask for in their security contact. Some are just impossible; some so easy they're a joke.
"A lot of the time I think good security offi cers are not being tough enough - they should not be afraid to ask for more. Don't be afraid to base your contract on ISO 27000.
"If your provider is competent then he'll be familiar with these provisions and will already have the process in place. If he doesn't, then you know you're in trouble," adds Knecht.
Enforcing the contract with your MSSP is down to SLAs. Pate believes measurement is key. "You want to ask your MSSP how they are measuring your SLAs. How can you check to make sure they are being enforced?
"You also want to ask about performance-based metrics. Most MSSPs only provide SLAs for device monitoring and security event response times, not around protection. You want to be sure your MSSP can provide SLAs around the protection of your network infrastructure."
The grey area of metrics is key here - gathering various feeds from monitoring devices and displaying them in a dashboard interface is a common feature, but what exactly is it telling you, and does this really refl ect your business risk analysis? Kumar has seen this before.
"The effective dashboard is the Holy Grail here, and about as obtainable. The issue of what to display on it is still open for debate - there can be very differing emphasis on risk in different organisations. Probably 70 percent of the metrics are comm on, another 15 percent are related to vertical sectors, but the final 15 percent depend on the individual business - one size does not fi t all."
While the SLAs in place will provide the enforcement, it's vital the original contract is correctly worded and researched. Although due diligence requires various questions regarding process are asked, many fail to follow up on the answers, according to Knecht.
"A lot of people in my experience go about this process in a very digital way - they ask the right questions, and the MSSP ticks the boxes: yes, yes, yes.
"However, I believe the real solution is to use a much more analogue method - nothing here is black or white, it's all about shades of grey. The trouble is, a lot of contract questionnaires are very formulaic, and don't allow either what they're talking about."
Although increasingly popular, outsourcing is far from a silver bullet for CISOs. "Of course, it doesn't always make sense to utsource. Some functions are simply not cost effective - desktop AV is a good example here," explains Pate.
The future certainly looks bright for the MSSPs, especially as other alternatives to in-house ownership, such as SaaS (Software as a Service), gain traction.
"Outsourcing will become increasingly important to businesses of all sizes," says Jones.
"It's maturing rapidly. Sixteen months ago it would have been seen as highly risky to outsource fi rewall functionality, but now it's much more accepted.
"I certainly see much more compliance-related measurement going on in the cloud, as well as full-featured compliance suites and risk dashboards becoming more common."
As each security technology matures and becomes de rigueur, the advantages of outsourcing it to a reliable MSSP seem clear.
Cost savings can be made, but will prove extremely expensive if data security is compromised. The rise of the MSSP is set to be steady, but certain.
Source: SC Magazine UK
![[Opinion] The agentic AI hype is bullsh*t!](https://i.nextmedia.com.au/Utils/ImageResizerWebP.ashx?n=https%3a%2f%2fi.nextmedia.com.au%2fNews%2f241122_The_T_James_Davis_001007_.jpg&q=95&h=298&w=480&c=1&s=1)
