How to Select an MSSP: Five Gartner Managed Security Recommendations
How can MSSPs most effectively participate in customer RFPs (request for proposals) and win more managed security business with the right customers?
Perhaps the first step is to think and act like the customer. With that goal in mind, MSSPs can study the Gartner Market Guide for Managed Security Services. That guide contains advice to help CIOs, CISOs and business leaders find and select MSSPs.
Gartner’s Managed Security Services Guidance & MSSP Alert’s Spin
Dig into the guide, and Gartner tells end-customers to take these five steps when seeking to find and align with the most appropriate MSSP:
1. Gartner’s Advice to Customers: Define the specific service type you are seeking by focusing on the outcome you require and compare services with services, not MSS providers with more niche or “as-a-service” vendors, Gartner asserts.
MSSP Alert’s Spin: We don’t necessarily agree. The lines between MSSPs and other types of as-a-service companies (MDR, XDR, etc.) continue to blur. In many cases, the “niche” vendors and MSSPs each are expanding their portfolios.
2. Gartner’s Advice to Customers: Separate presales service assessments and security consultancy requirements from service delivery to ensure the organization can effectively control cost. While there is no conflict in using the same provider for both, the process by which they are acquired and requirements aligned with service scope must be separated, Gartner maintains.
MSSP Alert’s Spin: In many cases, customers continue to draw a line between (1) security assessments and penetration testing vs. (2) security service deliver.
3. Gartner’s Advice to Customers: Plan for the consumption of the deliverables of any managed security service. Security service vendors cannot offer business-specific reaction guidance for every security issue. Instead, buyers must take responsibility for the last mile of security incident response.
MSSP Alert’s Spin: In other words, careful of the MDR (managed detection and response) hype — especially when it comes to the Response portion of the conversation. MSSPs and their end-customers must explore a range of incident response scenarios — and task ownership for each scenario.
4. Gartner’s Advice to Customers: Separate architectural requirements and compliance requirements from risk-based requirements for security. Buyers must be focused on what is being delivered, not how it is being delivered. Pre-filter potential providers based on their ability to meet architectural- and compliance-based constraints prior to analysis for capability and scoped security requirements.
MSSP Alert’s Spin: Actually, we believe your customer conversations should begin with risk tolerance — how much risk can the customer tolerate for specific services, applications, data, users, etc. Then, identify which of those assets requires requires the most risk mitigation.
5. Gartner’s Advice to Customers: Recognize where a security service partner may need to communicate directly with other third-party providers you have contracted for network and IT services. Understand how the business will benefit from them working together, providing a more comprehensive and efficient service.
MSSP Alert’s Spin: Read between the lines, and MSSPs increasingly partner with more traditional MSPs, IT consulting companies and SaaS companies to coordinate IT management, monitoring, data protection and risk mitigation. When engaging customers, clearly describe where your MSSP excels — and how you partner with third-parties to round out your service catalog.