Some context: I rarely blog about information security because it’s outside
my core expertise in digital transformation. It’s hard to drive
transformation and also have a risk and security mindset, and it’s
extraordinarily time-consuming to keep up with the latest security threats.
That said, I have written several articles for InfoWorld on DevOps and
six security risks in software development and how to address them, and
how to bring security into agile development and CI/CD. I have also spoken about technologies for MFA, immutable backups, and
So, I research, learn, and write about security, but I am not a security
expert. I review security from a transformational perspective because
incidents can have significant business impacts. Mostly, I ask questions
when reviewing security threats, technologies, and best practices.
SMBs can’t DIY security and need a partner
As a full-time CIO, one of my first steps was to seek outside help to
evaluate our risks and select security partners. My approach was to have an
outside virtual CISO, at least one security services partner, and one direct
report responsible for operations and security.
Security is not a core practice at
digital transformation leadership company I founded, but we’re almost always
tripping up on security gaps and evaluating practices and technologies to
improve our clients’ security postures. We’ve seen emails and passwords
stored in openly accessible network drives, cloud environments that the
DevOps team didn’t lock down properly, exposed PII information, backups that
didn’t have sufficient retention settings, and many other issues.
Finding a managed security service provider should be a top objective of
every SMBs priorities.
There are just too many security risks and priorities for SMBs to manage
independently, even when there is some in-house security expertise.
Jim Broome, president and CTO of
agrees. “If there is one takeaway for SMBs in 2023, it should be that
investing in an MSSP assures greater security while lessening the drag on
resources to staff an internal SOC effectively,” he says.
Should an SMB partner with an MSSP, SIEM, SOAR, MDR, XDR, or EDR
One of the first challenges SMBs face is getting security help
deciphering all the jargon, acronyms, and codewords tied to security practices
and technologies. An MSSP, a Managed Security Services Provider, is a third
party offering one or more security assessment, protection, and remediation
services. And a SOC is a Security Operations Center, often a 24×7 group that
reviews security alerts and incidents and manages their remediations.
I suspect many readers of this blog probably know what an MSSP and SOC are,
but there’s a good chance your business colleagues don’t. Now IMHO (in my
humble opinion), finding an MSSP is the number one priority for SMBs, but
there’s a slew of jargon that business and technical leaders will run into
when searching and evaluating partners. Do you need an MSSP, an EDR, an MDR,
an XDR, or a combination of these services? What are SOAR and SIEM, and are
these part of or separate security solutions?
“The fancy word that MSSPs used nowadays is MDR or XDR,” says Faisal Bhutto,
SVP of cloud and cybersecurity at
Dig deeper into these acronyms, and you’ll cover even more terminology and
methodology. It’s frustrating.
Bhutto explains that some security services and service providers may only
cover part of the vulnerabilities. “It makes you feel like you have
everything you need to be covered, but in reality, all [MDR and XDR} do is
look at infrastructure and endpoints, which accounts for 50-55% of the
attacks we see,” he says. “A fully established MSSP will have network,
endpoint, identity, scanning, firewall, infrastructure, and software
The simple translation is that many things can go wrong in security, and you
can’t just lock the doors to keep intruders out. You have to consider the
whole house and where there are security vulnerabilities.
So the top security priority for every SMB is to find an MSSP that provides
the security services required for the business operation.
Why most SMBs need a virtual CISO
And how should an SMB assess what’s required? Most SMBs should have a
contract virtual CISO and undergo a security assessment to help answer these
questions. The risks and operational environment should dictate the type of
MSSP and what services are needed at what priority.
I may have to cover my thoughts on virtual CISOs in another article. Let’s
just say some are really good at learning, explaining, advising,
prioritizing, and executing. Others love standing on the soapbox and
declaring a long list of security priorities and things you’re doing wrong.
If they can’t explain the MSSP jargon, then that’s a problem.
Here’s how CrowdStrike explains
EDR versus MDR versus XDR. Here are other writeups from
Infosecurity. Other service providers’ definitions include
Sysdig, among others. If that doesn’t make your head spin, check out all the
vendors listed in Gartner’s reviews for
SOAR, and their associated Magic Quadrants.
How should SMBs evaluate MSSPs and select the right solution
It’s no easy task to research your way through the solution types,
technologies, and solution providers. The key is to have an efficient
selection process and identify which providers focus on the business’s
greatest risk areas.
“SMBs need to look for an MSSP that offers a variety of skill sets and
talent with deep expertise,” says Yana Vaysman, head of managed services
practice at Avionos.
“Providers must offer simple, easily digestible solutions with a dedicated,
responsive point person. Your MSSP should be a partner who is as fully
immersed in your business as you are, understand your needs and priorities,
and can act as a true extension of your team.”
Broome adds, “When evaluating MSSPs, observe whether vendors provide an
out-of-the-box approach versus a sterile one when reviewing the service
level agreement (SLA). At the bare minimum, SLAs should clearly define the
time of acknowledgment of an alert, the time to review an alert, the time
for the client to acknowledge the alert, and the time to resolution, but
above all else, it should clearly outline the customer’s infrastructure
realities, how incidents are handled and escalated through your
organization, and how your MSSP will deliver on those unique requirements.”
Bhutto suggests, “Always ask the MSSP, what happens when you get attacked?
Is it that they will inform you and let your figure it out, or are they a
true partner who will help you with incident response and recovery?”
In summary, these are really good starting points from Vaysman, Broome, and
Bhutto: (i) find a partner who learns your business, (ii) review the MSSP’s
SLAs and incident management playbook, and (iii) understand their
remediation and communication procedures.
If you’re lost, contact me, and I’ll share my
five questions to ask an MSSP.