There is not an iota of doubt that the managed security services are highly in demand where several IT service providers are assessing how viable the MSS is as one business model to check if this is something they wish to offer. The truth is, the specialized nature of security services, mainly those with core MSSP services like incident response and monitoring are mostly out of reach.
To offer services like penetration testing, analysis of open-source intelligence, or digital testing, the business would need people with relevant certification and experience in doing those activities, and the resources aren’t cheap. Creating such a business portfolio is one costly work when there is no demand from your customers. However, customers typically require one MSSP who would provide every service rather than acquiring one that manages multiple contracts. The main question is, how would you offer all the Managed Security Services required to please your customers, while you bring down the start-up expenses and keep the business risk minimum?
Constitution of sore services in MSSP
Post the most fundamental, the MSSP offers two services that would the requirements of the customers, such as:
- Incident notification
- Protective monitoring
Protective monitoring finds maximum demand, where each customer engaging in a service provider would need their networks and systems monitored to check cyber threats. Typically, a service provider would provide this with incident notification, as one package of services from their Security Operations Centre (SOC) also may market it as one SOC service.
The mode of monitoring is normally proven using a SIEM or Security Information and Event Management system, that has been possibly integrated with User Entity Behavioural Analysis (UEBA) plus a networking monitoring tool. This could mean that the risks posed by copious insiders could be mitigated as one component of the core SOC services, instead of being sold as one additional add on at an extra expense – a feature that all MSSP customers would appreciate.
Methods of Approaching Offerings of Additional Managed Security Service
Based on whether the customer is aware from before which of the services they need, or if they mature into it once the core services, they run is moot, as at certain point they would be looking for the below mentioned service categories:
- Compliance monitoring
- Device management
- Incident response/digital forensics
- Product resale
- Security testing (penetration and vulnerability)
As a provider of managed security solutions, it is rather important that one looks at the type of investment required for each one of these and determine if you would offer them from your personal staff, or you would create a subcontracting framework that would allow you to engage experts whenever you need those.
Some of these make good sense in proving in-house, like compliance monitoring plus product release. The two are quite easy to set, as they are more about extending the SOC monitoring so that they can focus on the compliance dashboards plus possessing the right contacts in position with the suppliers so that they could resell their services/products. Measuring the effectiveness, and compliance of the security controls, and to ensure they would always perform with tolerance, always notifying the SOC when something would slip out of the compliance.
As one provider of the Managed Security Services, businesses need to remain careful regarding the extent of their incident response so that they could take control of any evolving threat condition and totally steer all the parties involved in any conclusion, where the possibility of customer impact is minimized as much as possible.
Provided the nature of most of the incidents, customers would often be in that state where they are completely disarrayed, and the senior executives demand answers when looking for some scapegoats so that they could blame for their services interruptions or losses. Your incident response team would need to be professional, maintain constant vigilance, keep everyone focussed and cool, coming with previous experience in handling similar kinds of complex incidents that come of maximum value. Mostly, this expert team isn’t your team of analysts within your SOC. Hence, before offering this, you need to ensure that you possess those skills along with the capability of doing so.
Device Management is one optional service that most MSSPs see as one low-margin capability and would be solely provided if you have no other way of winning the contract. To manage security devices, when you are not having control over the other onsite technology, could be troublesome and most of the time, it is better to enable the customers to find out that their service provider is one of the best to give them this, as they already manage maximum figure of the customer’s infrastructure. A much better option is integrating your SOC service with all the third parties to ensure any request coming from the SOC towards blocking this threat is converted into proper actions at the level of the end device.
This is a highly broad service offer that could cover several outcomes for the customers. Some of the service providers offer these lower-level catalog service of consulting, like:
- Reviews on security architecture
- Assessing the policy
- Compliance reviews
- Assessments on incident readiness
- Workshops and training
These are merely a few of the items that consulting teams would deliver to the customers, yet in reality, it is any activity that needs someone with expertise so that the individual could come to the site as an advisory. All the MSSPs have to have the ability to offer to consult for implanting their core services, no matter if it is merely deployment advice also integration advice towards their services, meaning how the customers need to react while receiving incident notification.
Certain other consulting activities, even if it is not in the recent workforce skillset, have to be provided through one subcontract having a specialist provider who comes with the experience plus certifications that are required to offer them.
Additional subcontracting services
The additional services, something you couldn’t provide directly could be provided using a carefully built contract framework with many other providers having skills plus experienced staff that could offer the said. Two approaches are there to this:
- The contracts on resource augmentation, the case where the contractors work on your team as your employee where the contractors don’t know they are on contract instead of being permanent employees. From the perspective of the customer, it shouldn’t really matter, yet they could come questioning your honestly, mainly if they realize the person is working for another company and you present them as one of your internal resources.
- Even better is a complete B2B agreement where you are selling the value of the partnership along with the third-party company showing them as experts in this field. That you have acknowledged the gaps in experience within your portfolio and looked for ways to provide the said services to the customers through an easily navigable contract is what you need to focus on.
There is only one risk to the mentioned model. You would need careful composition of a non-compete agreement with the subcontractors. This is to ensure everyone understands that your customers are yours only and in no way should be approached directly to work by your subcontractors. There is a constant risk that a specialist subcontractor, mainly a small one could get blinded by the revenue possibilities if they are going directly to your MSSP customers if they don’t realize this breach of trust damages that comes for each party within the relationship.
Conclusion – Create Security Services that’s sustainable
Subcontracting your specialist services makes sure MSSPs offer a complete portfolio of the security services while building their customer base also tendering for all businesses in markets that maybe not be feasible. You would need to pay attention to the subcontract relationship’s nature and make sure it is beneficial mutually for every vendor.