How to Avoid MSSP Exhaustion

Our industry faces a shortage of qualified and experienced professionals, which puts a strain on companies seeking and retaining skilled and reliable security personnel.

The rise of specialized cybersecurity consultants and managed cybersecurity service providers (MSSPs) is supported by organizations that appreciate the low cost of investment and greater experience these companies can offer. Outsourcing eliminates the problems associated with inexperienced talent; Yet MSSPs also struggle with staff retention, analyst burnout, and ever-increasing employment costs.

Today, many organizations are at risk of finding themselves in toxic work environments, characterized by long, often unsociable working hours and excessive workloads. To combat this, we need to work towards better business models that ensure sustainable service delivery.

To succeed, it is essential that service providers find a way to attract top talent and avoid the growing trend of analyst disillusionment and burnout. To help, here are seven key principles for MSSPs that aim to help address today’s challenges faced by buyers and providers of cybersecurity services.

1: Augment people with technology

Human-centric and product-centric offerings have significant limitations, which contribute to lower service standards and unsustainable operating practices.

Today’s most efficient models retain intelligent human operators at their core. Failing to take advantage of technology, traditional offshoring providers will continue to lag behind. Using intelligent automation and advanced technology is key to streamlining “mandraulic” effort and focusing time and resources on the areas that matter most. However, this approach is only possible if you…

2: Be pragmatic and detect what matters

The industry has an unhealthy obsession with “100% detection,” a symptom of a failure to understand what effective cyber defense looks like.

It is impossible to achieve 100% prevention or detection. Overstretching resources by expecting analysts to process the excessive number of alerts needed for the illusion of 100% detection only makes them less effective, encouraging bad behavior.

Instead, organizations should focus on building a solid foundation of defensive controls, with a suite of detections appropriate to the environment. This should include detections relevant to commonly used TTPs and more contextual detections tailored to the specific ways attackers are likely to traverse the environment.

3: Respond on the front foot

Detection is meaningless without the ability to remediate it, but response remains a glaring capability gap for many organizations and service providers.

Our experience in managing and responding to real-world cyberattacks has provided first-hand knowledge of how unprepared organizations fail to effectively deal with security incidents. Whether it’s poor decision-making under pressure, ineffective communication channels, or untested backup, recovery, and redundancy procedures, most organizations aren’t set up to respond effectively.

This problem is exacerbated because most typical MSSPs prioritize detection over response. Threat containment and eradication are not always included in the service offering. Often this is handed over to the client or a third party. Where response is included, it is often slow, hampered by the lack of joint operating procedures and poorly clarified roles and responsibilities (as well as the broader problem of underfunding). A third party cannot adequately fill this gap, and there is no substitute for a solid playbook and a well-trained in-house team to respond to an incident.

4: Avoid addiction and allow progress

One of the biggest cybersecurity misconceptions is that if you outsource to the right vendor or buy the right “quick fix” product, the problem goes away.

An MSSP is only as effective as the security base of the organizations it works with. The second principle (be pragmatic and detect what matters) emphasizes the importance of a pragmatic and realistic approach to detecting threats. This becomes much more difficult, if not impossible, if the customer has a porous network riddled with vulnerabilities and misconfiguration. An MSSP willing to accept the risk of defending an inherently insecure organization – while maintaining standard SLAs – is not acting in the best interests of its customers or employees.

We need to help customers improve and leave them in a safer position than when we started working with them, by raising awareness and appreciating the importance of effective cybersecurity across the organization. Without this, it is difficult for any MSSP to succeed.

5: Be visible and transparent

When responding to customer incidents, we frequently encounter situations where the customer has noticed signs of malicious activity before being notified by their MSSP. Sometimes the MSSP finds no evidence of malice (despite, in some cases, clear indicators of a ransomware attack in progress).

The underlying problem here is that the communication and visibility offered by many MSSPs is poor. This can lead to a false sense of security and the idea that “no news is good news”, which can lead to missing gaps in detection until a compromise occurs.

It’s important that customers have confidence and proof that your solution is as effective as we say it is. This means continually testing and validating that defenses remain effective, taking into account both emerging attacker TTPs and network changes that may interfere with the configuration of detections.

A mixture of specialist offensive and defensive consultants is useful. This symbiotic relationship allows defenses to be continually updated to reflect the latest attacker TTPs. While offenses can be continuously upgraded to bypass these checks, allowing defenses to be upgraded before an attacker can bypass them in the wild.

6: Be flexible and adaptive

Most organizations have already invested in security tools, products, and services. Similarly, no two organizations will have the same digital infrastructure and operations. Despite this, most MSSPs seek to use a standard deployment approach and technology stack, even when investments already made by the customer can deliver the same benefits if used correctly.

It is important not to be tied to a specific technology stack and always consider what already exists in the customer network before making deployment decisions. Most organizations fail to extract maximum value from their products and services. Leveraging them as part of the service will ensure they are used to their full potential, avoiding the need to duplicate historical investments.

7: Integrate continuous improvement

In addition to encouraging development and progress for customers, we want to achieve the same for ourselves. The ISACA 2022 report cited limited growth opportunities and a lack of support as key factors for analyst dissatisfaction. We believe that the best way to provide development opportunities is to continuously innovate – finding more efficient ways to perform essential tasks. It means spending more time working on more progressive initiatives.

By committing to permanently “making ourselves obsolete”, MSSP can open up more exciting opportunities to work alongside its customers. This means looking for incremental improvements, no matter how small, without waiting for major transformations or upgrades – as the increments add up.

In short, MSSPs need to work smarter and treat current industry professionals better by creating more sustainable systems to maximize their performance and put an end to analyst burnout.

Comments are closed.