Managed Services

Why CISOs should consider an MSSP and how to choose one


It’s the classic headache that keeps CISOs up at night: How do you ensure your organization remains secure without straining your security staff—or find quality professionals to hire to reduce the burden?

If you want to add a capability to your security program to stay agile, that could require spending six months trying to hire someone to build or grow your team. Or you can look for an MSSP, said Jim Broome, president and chief technology officer at enterprise managed detection and response provider (MDR) Direct Defense.

Broome discussed some of Direct Defense’s work during a conversation at RSA with Adrian Sanabria, a host of Security Weekly.

The U.S. is short roughly one million security professionals, “so a lot of organizations are struggling to meet the actual operational state of monitoring their security on a day-to-day basis,’’ Broome said.

“More importantly, in the last couple of years we’ve asked more and more of our CISOs, so it really becomes a dollars and cents investment from the CISO perspective” and whether they will be able to accomplish their strategic goals and maintain the operational state--and figure out if they have the budget for it, he added.

That’s why there are more MSSPs now—companies get a partner that provides the latest security technologies, gives them the visibility they need--and has your back, Broome said.

What to look for in an MSSP

There are a lot of niche players, so you need to determine what your needs are. Direct Defense’s services grew out of demand; the firm did a significant amount of penetration testing work, and customers asked them to offer it as a service, he said.

Because it’s critical to build trust with the customer, Broome said they offer proof of concepts to show that the technology works. Further, “We’re highly consultative in our approach,’’ he said.

Direct Defense also has a Tier 1,2 and 3 SOC offering, and he said they have a lot of communication with customers to let them know what is and isn’t working. This helps build a rapport.

“We like to say we have a white glove service,’’ Broome said. Direct Defense offers custom alerts, custom playbooks on those alerts, and custom responses, depending on the customer’s need. “So it’s not just traditional cookie cutter and what you see is what you get,’’ he said.

An MSSP’s value is in providing daily triage, although typically for smaller customers, Direct Defense will handle all their security needs.

Considerations for hiring an MSSP vs. hiring an employee

When thinking about whether to use an MSSP or hire an internal employee, it boils down to cost efficiencies. There is value in having agility and scale, Broome said. Running a single SOC 24x7x365 requires having 10 to 15 people and a budget of $1.5 million to $10 million, depending on what you’re trying to do.

Most organizations are resource-constrained right now and want a partner to do that work for them, he said. Direct Defense does analysis and makes decisions on a customer’s behalf, so internal staff can focus on what they’re needed to do.

“They don’t need to sit there and wait for the red light to flash,’’ Broome said. “They can rely on us to handle that for them.”

By Esther Shein

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.