Managed Security Services | Operational resilience

October 6, 2023

Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK.

With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they both converged at the interface between the security function and the business.

One set of challenges sat at the security leadership level in terms of the recognition of the impact of an incident on the security team and its operations. The other set of challenges sat directly above the function – between security leaders and the higher/executive level of management.

Managed Services Summit

Many of the issues Huntsman Security hears about in conversations with managed security services providers (MSSPs) also resonated with the conference delegates. They relate to the importance of security of course, but also the business challenges that service providers face in operating security teams in profitable and competitive ways.

Reflecting the needs of MSSP business models

The biggest topic under discussion was undoubtedly the need to minimise the time to get new clients up and running, reducing the delay and effort required to establish services, and shortening the time to revenue. This requires solutions that offer true multi-tenancy (rather than just a form of group access control) and can support the customer onboarding process, by allowing standard use-cases and configurations to be mapped across tenants automatically, while allowing the MSSP to recognise that each customer will have differences.

This was followed by the twin needs for flexibility and scalability. These both relate to the suitability of solutions for MSSPs that need to grow their monitoring capabilities as business develops.

One – flexibility – reflects the need to be able to easily accept new technology types and data sources and to be capable of handling the nuances of customer technology stacks over which the provider has limited influence.

The second – scalability – is a recognition that, if successful, MSSPs can require big jumps in the scale of their monitoring needs as new customers come on board. They can’t simply buy the biggest box or appliance up front, the return on investment is just too distant and risky. So they need to be able to scale dynamically the way only software solutions and virtualised systems can.

We also discussed the need to demonstrate value to customers of monitoring services. This means more than simply rehashing bland and technical outputs from tools and sending them over to customers in a raw form; in the hope they will understand them. More successful MSSPs show their value and expertise with reports that are targeted directly at the individual customer needs, providing clear insights into the investigations, incidents and alerts that have been dealt with, and are more comprehendible and realistic in their recommendations. There is a clear correlation between the price a customer is prepared to pay to have a service and the visibility that service provides; there is also a strong connection to customer retention.

Retaining skilled talent

The other topic discussed affects MSSPs, but also enterprises more widely. The challenge of running successful security operations – proactive and reactive – depends heavily on people, and retaining skilled talent. This is acknowledged, almost universally, as a real challenge in a highly competitive market.

It is not uncommon that instead of focusing their time investigating and resolving threats, SOC analysts can spend much of it trawling through an endless flow of information about risks facing an organisation or, in the case of an MSSP, its customers.

Without a SIEM solution (Security Information and Event Management) to pull data into a single searchable format, the problem is amplified. Operators that are presented with multiple consoles with information in different formats and then challenged with manually trying and make sense of it, will be endlessly looking for patterns and clues in an ocean of data.

Eliminating boring manual activity is important not just to reveal threats quickly but also to avoid those at the coalface feeling like their job is an endless churn of manual and tedious tasks. Laboriously clearing out false positives and gradually sinking under the load of investigating real threats is not a recipe for success for anyone.

This challenge of staff retention is echoed across the security industry – it’s a perennial problem for security leaders in a tight skills market. For MSSPs where service levels are built into contracts, it holds particular significance.

ISACA and “Digital Trust”

In contrast, the recent ISACA Central Chapter event was mostly concerned with how the security function interfaces with the wider organisation management structures above it.

We spoke about the need for visibility of the effectiveness of security controls and cyber resilience. In particular, the evolution toward data-driven cyber security (DDCS), encouraged by the National Cyber Security Centre (NCSC), to improve security outcomes. DDCS speeds up and clarifies the reporting on control effectiveness. The improved quality of the security information allows security leaders and boards to make better risk decisions based on objective and accurate evidence collected directly from enterprise systems, rather than subjective interpretations of control settings and often incomplete opinions. We’ve blogged about this, and NCSC themselves have argued the need for data driven cyber as one of the challenges to be addressed in their “Research Problem Book”.

The theme of “working the problem” rather than blindly trusting “instrumentation” arose in other presentations during the day. Knowing what is working and what isn’t is clearly a step forward in assessing and understanding cyber security controls. In presenting this information to the upper levels of management, it must be reliable and relevant to the strategic risk issues that are being discussed.

Building in digital trust and governance

“Digital trust”, the conference theme, means implementing strategic solutions and initiatives to support the business as it seeks to adapt and grow in a changing world.

The days of security saying “No” are long past. The goal now is to support the business in its risk decision making – do we launch an App, provide an online portal, open up an API to better interface with our suppliers?

The role of the security and compliance function is to enable this to happen, and to ensure that controls and safeguards are in place. The topic of ransomware, one of the biggest and well-understood threats to face businesses, provided some useful examples. The limits of users when it comes to defending against advanced phishing attacks and the ability of attackers to spread their infection to monetise the result, are well known.

“Trust” means having provisions in place to defend the organisation – to prevent, contain and recover from breaches. But these controls need to be visible and working effectively. The ability of security teams to provide this visibility, and audit functions to assure the business of this, are key.

We spoke to several organisations that were seeking better evidence and assurance of their security controls, and those of third parties they relied upon. These security and audit professionals were looking for evidence-based ways to provide this assurance to senior managers and stakeholders without relying on subjective questionnaires and surveys. The industry is clearly moving from eminence to evidence-based cyber security reporting. Executives and directors can no longer rely on time consuming and disruptive manual processes to inform regulatory reporting and oversight responsibilities. Evidence-based actionable reporting ensures that decision makers are presented with timely and actionable reporting to inform their operational and strategic management requirements – operational resilience is key.

Given the fast-moving and dynamic nature of cyber security, and the scale of business impacts that can result when it fails, who could blame executives and directors for seeking the highest possible quality of operational resilience information and reporting.

SmartCheck for Risk Teams, Executives and the Board


Related Cybersecurity Content


Read by directors, executives, and security professionals globally, operating in the most complex of security environments.