I think the easy answer is: it depends. A lot of factors play into whether this strategic partnership fits for you. And maybe a hybrid or co-managed model works best when you consider and measure the return on your investment.
One thing that is very clear, the technical security landscape, threat vectors, and threat actors are constantly changing. Reading the Verizon Data Breach Report for 2018, some threat areas are up and some threat areas are down. It's hard to develop a strategy when your adversary is morphing and changing before you can get a plan/strategy in place. You can read/download the Verizon Data Breach Report here: https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_execsummary_en_xg.pdf
On to the MSSP's...
The first thing, let's look at the State of the CISO and demands on Security Organizations--(As a former CISO myself) I can say we're looking at a new landscape where Information Security and IT Security teams are evolving from IT technical experts (Botnets, Firewalls, System Hardening, etc) to teams versed in business risk (IP protection, Brand Protection, Revenue Preservation, etc). The result is we're forced to articulate where security technology creates business value, and required to determine if/how does the technology extend and enable the business to be better or more innovative in their offerings. C(I)SO's and Security teams alike are pressured to know the technology, know associated IT Controls and business protections, and then know if the technology has the capability to extend or mature the organization. The result is we have less time to think about Technology when our time is also required to think bigger picture and strategically. C(I)SO's now need to consider the maturity of the IT Security or Information Security department, if the capability/maturity exists within the team to protect risky information, what technologies are required to further the program, resources and expertise on the team to manage those technologies, how those technologies add business value, and how the technologies align with business goals and objectives. It's a lot to take in, especially when you consider budgets are getting cut all the time.
One option for getting more time back to think about strategy and business issues is to find a way to off load the tactical day-to-day Security Operations. Finding trust in the other party to do the work can be challenging, but if you can get there and trust in the other parties then you've essentially extended your team to help manage technical complexity, the operational grind of day-to-day operations, maybe alleviated some capital expense pressure, and hopefully some risk.
So the question now, if "I'm thinking about partnering with an MSSP what should be out-sourced or co-managed?" The first thing to do is take an inventory of what security technologies or security processes you've chosen to prioritize as a core function. An example might be, your organization is often a target of litigation--digital forensics and e-discovery is very expensive to outsource and critical to get right, so perhaps this is a core function for security. Conversely, perhaps you have a low-risk business unit and you should be doing more around SIEM (Security Incident and Event Management) and log correlation but other fires keep you from getting to this--this might be a good candidate for outsourcing.
Another factor to consider, as you look across your security program and you consider your maturity as program (ad-hoc processes versus finely tuned six sigma processes) ask yourself how good do you want a particular area of your program to be and can an MSSP help you get to a "mature state" faster?
I did a little leg work to figure out why most Organizations choose the MSSP route, I found some good info from Forrester Research and, according to Forrester, these are the top 6 reasons:
- Reduce Capital Expenditures.
- Fill Important Security Gaps.
- Get added value for the investment.
- Stay ahead of changing laws and regulations.
- Address important skill gaps.
- Control the technology and security complexity.
"How do I pick a MSSP?"
Find a company that's going to be fast, efficient, stays up to date with laws and regulations, but has a culture of customer service. You want to find a partner who is available when you need them or better yet will call you pro-actively when they see something anomalous. Your partner should be up to date on all malware, what it is, how to reverse engineer it, how to detect it, and how to remediate it. Your partner should be up to date on all the latest "hacks", what's new in the industry, how companies are being infiltrated, how data is being ex-filtrated. Your partner should be fast, if you want new capabilities or require help, they should be extremely expedient. Your partner should have a culture of business enablement - they should find a way around "no" and get to how it can be done successfully by being secure and enabling the business.
If you are fortunate enough to have a 3 year (or more roadmap), take a look across your strategic initiatives. Where do you need to improve, where do you have staffing or skill gaps on your team, where do you have issues getting funding, and based on the MSSP's you are looking at, how much can they up-level your program for the money?
