Many Managed Security Services Providers (MSSPs) provide risk dashboards to their clients. Not only do these dashboards provide an overview of enterprise IT risk, they should (in theory) enable conversations around what actions need to be taken with respect to risk exposure, as well as requests for services from the MSSP or increased budgets.
From eye glasses to wedding dresses, everyone has become used to being able to "try before you buy." Giving potential clients the chance to test drive products and services is smart business for both sides. It helps buyers make sure that the offering fits all their needs and desires, and it helps businesses avoid unhappy customers banging down their door in search of a refund or an apology.
Present a security operations report your leadership will understand and find value in.
Managed security services providers (MSSPs) often struggle with distinguishing themselves in a crowded marketplace, convincing clients of the value of their services, and transitioning into the role of trusted advisor by demonstrating their expertise. At every stage of the process, from onboarding to contract renewal, MSSPs need to handle each of their clients with professionalism and care in order to generate a stream of recurring revenue. When MSSPs try to provide services to their customers at scale, they generally face two major pain points. To begin with, MSSPs need to address their customers' most pressing demands first in order to keep them satisfied, and to do this well for many different clients. Second, MSSPs should not only put out fires for their customers, but also create actionable recommendations for them that will build a high-quality relationship with them over time.
As a Managed Security Service Provider (MSSP) accomplishing things is great, but you need to have a solid design and plan in place before achieving them — otherwise, you will start hammering away at things that are very definitely not nails. In the last blog, we talked about using the maturity of the organization’s architecture as a metric for cyber security preparation and compliance. This article will extend that idea by talking about the efficacy of that architecture. Compliance does not necessarily equal security, and you need to make sure that your customers’ tools and processes are actually working in order to provide the best service and close any gaps. To do that, you need a list of metrics that are correlated with the effectiveness of an organization’s cyber security policies. The seven indicators listed below will help you build a cyber security dashboard for assessing your customers’ security posture.
Key risk indicators (KRIs) are used to measure future adverse impacts of events and activities. They are widely used in areas such as healthcare, operations, and disaster risk management. KRIs use existing system and security sensor data to calculate residual risk due to IT operations. Measure the Right Metrics. Read the Whitepaper: Objective, Real-Time Cyber Key Risk Indicators for MSSPs The inputs are similar to a combination of SIEM, GRC, and threat intelligence systems; the output is continuous, objective, actionable metrics. With easy-to-understand and security-posture relevant metrics, technology leaders can design measurable goals and communicate the status and health of security operations to business leaders for decision making purposes.
When you have to respond quickly to organizational or compliance directives from clients, in addition to the cyber security threats and risks that your organization faces every day, it can be difficult to gauge how effective you are in doing so.
Cyber risk "measures" today come primarily in two flavors: statistics and compliance checkboxes. Unfortunately for Managed Security Service Providers (MSSPs), neither of these are actual measures of the security program performance or maturity, and both often create additional questions from clients rather than resolving them.
The scale and complexity of enterprise information systems has grown exponentially in recent years. To address this, some security practitioners have layered security with defense-in-depth technologies. Unfortunately, many of the technologies are poorly integrated, conflict with each other, and can inhibit critical business operations.
Nearly a year has passed since this article was first published. In that time, the readership of the article has surpassed all other blog articles on the FourV site by 154%. At least two items are particularly interesting in that statistic. First, in re-reading the blog, the poor use of grammar and multiple typos is evident. But after all, it is a blog and grammar school is long past. Secondly, and more important is Leonardo’s note in the Comment section… “nihil” loosely translated from Latin to mean “nothing”. It is unclear wether Leonardo left his comment in jest or that he meant to imply that he received “nothing” from the post. Hence this second update seeks to negate the possibility of the latter.
When it comes time to renew their services contracts with you, customers will want to know what you did for them as a managed security services provider (MSSP). You will want them to know that your service is differentiated and cannot be directly replaced by one of your competitors. The problem and the irony of being an MSSP is that your customers are likely doing better when they hear from you less often. However, there are still a variety of ways for you to communicate your value as a strategic partner.