A company’s security posture changes often. The change can be company-created, for example, by opening an office in a new geography or entering a business with different regulatory requirements for data protection. Security posture also changes as new threats like previously unknown malware emerge, and more sophisticated techniques for hacking evolve.
When engaging a managed security services provider, it’s tempting to believe that keeping up with changing security posture is “being handled” by the provider. But is it?
Providers Often Forgo Innovation For Operating Efficiency
A very common complaint among outsourcing and managed services clients is that the providers rarely suggest changes unless the client brings it up – unless, of course, that change benefits the provider’s ability to run the process. In security environments, this heads-down approach goes beyond ineffective – it can cause significant damage to clients as threats and mitigation options change quickly.
Yes, providers generally do a security posture assessment before beginning the engagement. However, in our current blueprint research we found little evidence that providers re-assess security posture formally during the ongoing engagements.
Recently, in fact, we even heard of one provider that regularly discovered threats in a client environment but didn’t report them to the client because the particular threat types were out of scope of the engagement. The client found out only months later, and by accident, about the omissions.
Even with such egregious scenarios of intentionally not alerting the client, many providers miss threats. They miss them because they’re not looking for them and their analytics engines aren’t detecting new patterns.
Be Proactive With Incident Monitoring And Reporting
There are many ways you can work with your managed security services provider to ensure that changes to your security posture are being addressed. From most quickly implemented to longest, here are some actions you can take:
- First and foremost, monitor news and trends in security and threat intelligence. Don’t wait for your provider to flag new threats types to you.
- Be proactive in asking questions about changes and new threats. Sometimes even a quick email asking the provider about a new ransomware technique that you read about will spur discussion about making changes to the service scope.
- Include security market changes and news as part of monthly meetings. Make it an agenda item to discuss what’s happening in the market. And build into the provider’s mindset not to wait for the regular meetings to bring up new events.
- Expand the scope of your engagement to include regular security posture re-assessments. This can depend on your industry and other factors, but it might be quarterly, semi-annual, or annual.
- Include a new engagement metric on the provider’s ability to find and address new threats. The provider’s ability to keep your data and organization protected from threats even as those threats change needs to be part of the provider’s success metrics if it isn’t already.
Bottom Line: Don’t let inertia set in on your security managed services engagement—make sure your engagement includes specific, proactive approaches to staying current with your security posture.
Posted in: Security and Risk Mgmt.