IT Focus Area: Managed Services
July 6, 2016
7 Steps to a Successful Partnership with a Managed Security Services Provider
History is filled with stories of seemingly great partnerships gone wrong. After successfully leading Roman slaves in a revolt that resulted in their freedom, Spartacus and Crixus argued about what to do next. They parted ways with their respective followers. Each was subsequently destroyed by the Roman Legions.
The songwriting partnership between John Lennon and Paul McCartney made The Beatles one of the most successful musical acts in history. Eventually, though, they went through an ugly public breakup. And for a while, they even used their prodigious talents to write songs attacking one another.
In the technology arena, Mark Zuckerberg and Eduardo Saverin co-founded a little social network called Facebook in their Harvard dorm. You’ve no doubt seen the movie or read the articles about the feud that ended their partnership.
Learn the 10 essential steps to securing your cloud data. Get your guide to creating and executing a successful cloud strategy.
In these instances and hundreds more, partners started with a similar vision and goals. Somewhere along the way, however, disagreements destroyed their successful relationships. The risk of conflict exists with any partnership, including the hiring of a managed security services provider (MSSP) to augment your IT staff’s capabilities. Hiring an MSSP is an increasingly popular option to help you manage your information security, however certain steps must be taken to ensure a successful relationship.
How does an organization ensure a successful partnership with an MSSP?
There are seven key areas that a company should think about when forming a partnership with a managed services provider.
1. Define the engagement strategy
A great partnership begins with both sides understanding what needs to be included in the scope of work. This initial step is about more than service-level agreements (SLAs). It requires clearly defining the responsibilities of the managed security service provider and your company, respectively. That sounds obvious, but it is far from simple. Too often these partnerships go wrong because it is assumed that the MSSP will handle this, or your IT staff will handle that, and in the end, no one handles anything.
That’s when the finger-pointing starts.
To avoid this situation, you should spell out what the business is trying to accomplish overall, not just from a technology standpoint. The initial MSSP onboarding process substantially affects the success of the entire relationship. Failure to transfer information and synchronize security processes often dooms the relationship. By understanding your organization’s goals in context, the MSSP may be able to make recommendations that support the business strategy beyond what you are doing currently. It is often helpful to obtain an outside perspective and gain insight into what other organizations are doing to address similar issues; a good MSSP can provide both.
Clearly defined roles, responsibilities, processes, and business goals can ensure both sides understand and agree to them. The MSSP team creates alerts and executes the change requests you ask for, not the ones you secretly want. Communication is key. With a clearly defined plan, the MSSP can develop a contract that accurately reflects what your organization needs from them and deliver its services at those levels.
Things to consider before you start:
If you cannot hire, don't look at implementing a Security Information and Event Management (SIEM) solution.
If you cannot move your data outside the organization, don't look at MSSPs.
If you cannot hire and cannot move the data out, concentrate on a managed SIEM model.
If you need help running your SIEM but also with ongoing monitoring, look for a hybrid model
with MSSP managing your SIEM and helping with monitoring.
2. Understand the state of your environment
What technology do you have today? Is it current? Is it sorely in need of an upgrade? How well do individual components match up with one another? If you do upgrade, what effect will that have on your operation? Will it simplify things or add a level of complication? The answers to those and similar questions can have a profound effect on the success of the transition.
You can assess these questions internally or use an MSSP to perform a complete assessment of your current technology, how it matches up to industry standards, and whether it aligns with your business goals. Having the managed services provider perform this assessment will keep your resources free for more mission-critical work. It also allows you to take advantage of their experience to see where your environment is relative to similar-sized organizations. If the assessment is to be a preliminary step that does not guarantee moving forward with the MSSP on the project, make that clear upfront. Most providers will be willing to perform this work as a separate, paid project.
When the assessment is complete, you will have a better understanding of how much work is required and how long the process takes to make the transition to a partnership with a managed services provider. This information can help set timelines, establish realistic roles and responsibilities, schedule outages (if necessary) and prepare your organization for the transition.
3. Consider the gaps in your personnel resources
You are probably well aware of any personnel shortages or skills gaps you have within your IT organization. You should consider whether the MSSP has the expertise and bench strength to cover those areas, on a temporary or permanent basis. With a managed services provider onboard, there may be some responsibilities your organization can hand off for good, allowing you to focus your resources on higher-value projects that elevate the IT organization’s visibility and standing within the business.
If you have had problems with training or retaining IT staff, you should anticipate making arrangements with the MSSP to cover areas outside the normal scope of work from time to time. Spell out how much is covered, when additional costs kick in (i.e., is it by hours, type of work, or another factor), and what those costs are. What about hours of coverage? The typical engagement has the managed services provider providing service around the clock. If you have other ideas, make a note of that too.
The more precisely you can see and articulate your current environment, the better service an MSSP can provide on developing the contract. It will also help the MSSP to make useful recommendations to possibly improve your environment in the future.
4. Confirm communications procedures
Come to an agreement on how communications between your organization and the managed services provider will work. Be sure to have a robust feedback mechanism in place to ensure that little annoyances don’t escalate into serious issues. Be certain that both sides understand the format and frequency for status updates and feedback.
5. Keep requirements reasonable and establish expectations
You may find that your MSSP is able to respond to certain requests faster than your internal organization, either due to having deeper expertise or as a result of the additional bandwidth. It is important to set priorities and expectations within the partnership. Give the managed services provider guidelines to follow to ensure what you are asking can be reasonably accomplished in the desired timeframe and budget.
You could write timelines into the contract that require the MSSP to take action within certain parameters. In planning the overall timetable, keep in mind how long it takes your organization to provide approvals and ensure that the managed services provider is aware of it. If you don’t factor that part in, activities will likely show up as “overdue” sooner or later. This can lead to unnecessary frustration and can make it seem like the MSSP and your organization are underperforming in the partnership, when it is merely a misaligned expectation. Be realistic in setting requirements and the transition and long-term operations will be much smoother.
Changes requested often cause friction in an MSSP partnership too. Agree on how changes will be handled before signing anything. While some MSSPs don’t place limits on changes, others do. If you typically have 20 changes per month, but the contract specifies a maximum of 10, the additional, unplanned-for changes may add up quickly. The relationship will likely go sour just as quickly. You should also specify if your environment requires all changes to be handled as they come up, or if they can be batched on a regular basis (e.g. weekly).
6. View your provider as a real partner
While obtaining competitive pricing is an important consideration, the real business value in a partnership comes from being able to accomplish things together that you couldn’t have done separately. Overly aggressive attempts to win on price may backfire. Commitment to a strong partnership should have trust and engagement from both sides.
Bring in an MSSP that invests its time in understanding your business, rather than simply providing commodity services. You will be far more satisfied with the results. Help the managed services provider learn about your culture and how to work within it. Are there certain ways documentation or verbal reports should be presented? Is the culture formal and businesslike? Or is it more casual and relaxed? Are there any potential language barriers that should be addressed?
By making continuous improvement and fine tuning a joint effort, a good MSSP partnership can optimize your environment and lighten your workload by reducing unnecessary notifications (“false positives”) and required follow-up action.
7. Get your internal team onboard
Some people may see the MSSP as a threat to their jobs, while others may wonder if the managed security services provider will now be dictating to them. Be sure that your team understands that your purpose in engaging the MSSP is to take tedious work off their hands so they can focus on work that will add value to the business and enhance their careers. If you paint the vision of what this partnership means for them, it will help ease the tensions and lead to a more cooperative atmosphere.
Invest Your Time in Trust and Teamwork
Spartacus on his own may have been just another gladiator who perished in the arena. Neither Lennon nor McCartney achieved the level of success as solo songwriters that they did as a team. Zuckerberg and Saverin achieved their greatest accomplishments as a development team, not independently.
Many partnerships begin with the short-term mission of solving a specific issue or achieving a particular goal. But, for a partnership to endure, grow, and accomplish everything it is capable of, it is essential to lay the groundwork first. Invest time in the beginning to work through the details and nuances of how your partnership should operate to maximize success.
If you make that investment, the benefits of the partnership will likely grow beyond your original vision and continuously create greater value for your organization.
Secure your cloud data. Get your guide to building a secure cloud strategy.
An earlier version appeared on siliconangle.com.