Threat Research Blog

Preparing for Managed Security Services

Wade Woolwine Presents at MIRcon 2013
Wade Woolwine Presents at MIRcon® 2013

As a complement to my MIRcon® 2013 presentation titled "Getting the Best Bang for the Buck with Managed Security Providers" and to address some questions I received from the audience, I have prepared a quick summary of my presentation.

Many businesses consider outsourcing key IT and security functions as part of a budget reduction plan, increased efficiencies for IT services, or simply because there's a need for a capability, but no time to build it internally. Too often we see companies similarly approach outsourcing; selecting vendors via "bake-off", signing the contracts, and loosely implementing the service. In the best case, the net result of this approach leads to service delivery that only marginally improves the company's security posture; in the worst case, a total failure of service implementation.

The following steps provide a framework for how to get the best out of managed security service providers.

Phase 1 - Prior to Selecting a Vendor:

  • Have a defined set of requirements that not only drive your business goals for the managed service, but also complement your existing capabilities and processes. These requirements should be blessed at the highest levels of leadership and will facilitate the vendor selection and contracts negotiations.
  • Have a clear picture of who will need to be involved in the entire process. Selecting the right stakeholders will ensure that all requirements are defined, that all existing technology and processes are represented, and that all stakeholders have the opportunity to buy into the effort.
  • Inventory all existing processes and technology affected by the integration of a managed security provider.

Phase 2 - Selecting a Vendor:

  • Use the data points acquired during the first phase to ensure the vendors you select meet the minimum requirements you've defined as critical and whose technology and service delivery processes can best be integrated seamlessly with your defined processes and technology.
  • Select your vendor using real world scenarios. In order to get the best understanding of how the service will be delivered, it's important to see the service in motion within your environment.

Phase 3 - Inking the Deal:

  • Ensure that your legal or contracts team has a full understanding of your requirements (and hopefully has been represented as a stakeholder). This will ensure that these requirements are effectively defined in the contract and explicitly define what's expected of and been agreed to deliver by the vendor.
  • Ensure executive sponsorship of the project. This will ensure that funding and support is in place to facilitate implementation and any issues that may arise down the road.

Phase 4 - Managed Service Kick-Off:

  • Define critical points of contact. This should include the executives supporting the initiative, the primary and secondary project main points of contact, and any technical or management resources impacted by the implementation of the managed service. Ensuring complete representation during the kick-off call will drive efficiency in communication and expectation setting for you and your managed service provider.
  • In-depth technical implementation coordination should happen outside of the initial kick-off call. Allowing the technical representatives from both sides to communicate requirements and implementation details will provide for a smooth technology roll-out.
  • Ensure that points of contact and areas of responsibility are well understood to minimize confusion and finger pointing down the road.

Phase 5 - Disaster and Incident Dry-Runs:

  • Depending on the criticality of the service provided by the vendor, it might be important to simulate a disaster or incident to allow for a complete exercise of a high stress event. Doing this exercise will ensure that you are not learning process or technology failures in the heat of the moment and provides a safe avenue for stakeholders to see the effectiveness of disaster/incident response.

Phase 6 - During the Life of the Contract:

  • Communication between the customer and service provider throughout the life of the contract is critical. From regular service updates to feedback on how to improve, communication will ensure success over the life of the relationship.
  • Communicating change to limit impact. Whether on the customer or the managed service provider side, any change has the opportunity to result in degraded services or ability to delivery services.

No matter what business driver leads to looking to an outside vendor to provide services, investing the same time and effort into a managed service as you would if your business were building the capability itself will result in successful implementation. These six detailed phases will ensure that all of the pieces are in place for an effective relationship between the customer and service provider.