The global Managed Security Service (MSS) market is worth tens of billions of pounds annually. Economies of scale allow MSS providers to invest in sophisticated platforms that are not economical for most businesses to replicate. Larger operations invariably create deeper and broader analyst and engineering skills pools, and business-focussed operations encourage innovation and adoption of emerging technologies that deliver a competitive edge in a highly contested market.
But it’s not quite as perfect as I make it sound. An MSS is just a multi-tenanted SOC, and KPIs in SOCs are notoriously hard to define. Measuring threats you have missed and therefore do not know about is by its nature paradoxical. There are in fact very few ways for buyers to meaningfully verify (or indeed enforce) the protection delivered by SOC managed services.
The fact is that contrary to the obvious security benefits MSS suppliers could deliver to customers, they actually operate predominantly as cost reducing services (not cyber defence improvement services) that convert unpredictable and often painful internal spend into predictable, SLA-clad annual fees. It’s a problem created by buyers, seeking a CFO’s favoured outcome. Whether a CISO agrees or not, it’s hard for them to argue away the bottom-line savings, especially when delivery quality (i.e. cyber defence improvement) is so hard to measure.
So, you could say the market is driving “a race to the bottom” on price. Given that the basic operating costs of compute, software and staff are relatively standard across the market, any low-priced responses to an RFP for services likely come from minimising costs through very well-articulated service levels, constraints on service inputs and outputs, and complex dependencies that protect that all important razor-thin profit margin.
For example:
- Maximum of five alerts reviewed a day
- Maximum of two new detection rules a month
- Capping events per second and event size at as low a figure as possible
Constraints control cost, set boundaries, and enable low-risk pricing that wins business – but in an extreme scenario they can also hobble an MSS into simultaneously performing to contractual SLAs while underperforming on outcomes.
So, is MSS completely wrong for everyone? Is it just providing a median offering that pleases everyone at the lowest price possible? Not at all. But it’s not a silver bullet that magics the SOC problem away either.
What is the right service to ask for?
Let’s look at the three main MSS models in outsourced security operations and see why MSS done right has a valuable role to play.
First, there is the model where an MSS supplier (or multiple suppliers) provides specific services into an organisation’s SOC. This could be to allow the SOC to back off complex forensics or threat intelligence tasks, to take some pressure off SOC teams by providing the monitoring service elements that report on compliance – maybe leaving the key SOC staff to be concerned about more sophisticated threats and insider threats – or to provide monitoring of cloud services while critical internal services remain with the in-house teams. Or, an MSS might provide out-of-hours cover on the basis that the in-house SOC provides working hours cover only. Remaining in control and fully accountable throughout, this hybrid model ensures the in-house SOC is able to reduce costs and improve coverage without introducing risk.
A second model is where the in-house SOC is thin, providing no technical capabilities of significance but still actively delivering management oversight. It owns interfaces into the organisation’s internal IT teams to relay key changes to the MSS provider, and undertakes incident management to oversee significant incidents through their lifecycle (including liaising with key internal stakeholders such as CxO roles and Communications Teams) and sensitive investigations such as those involving HR or law enforcement. The MSS provider then provides all the remaining capabilities the SOC requires (monitoring, threat intelligence, etc). Here, the organisation remains in control but potentially trades away the skills and systems pain, while continuing to be accountable for the SOC quality and for any intra-business communications that are not appropriate for the MSS to own.
The third model is where there is no SOC in house. Usually led by procurement, the MSS replaces the entire function with a CIO or CISO providing the touchpoint to the MSS for significant escalations. Otherwise, delivery quality is handled as a commercial task similar to other commodity service suppliers. Here the disconnect between the MSS and the business will necessitate that the MSS owns the responsibility to assess the threat and offer detection content at arm’s length – with little business context, or insight into planned changes.
The first two models deliver clear business benefit. It could be argued that both models trade quality of defence for reduction in cost in some circumstances, but this business decision should be based upon the relative cost impact of intrusions.
The third model, which is more common in my experience, places the SOC too far away from the heart of the organisation, without the empowerment of sufficient internal personnel. These roles are then often overlooked (or worse, made redundant) in the process of outsourcing – before becoming abundantly apparent as necessary after a time. When the MSS supplier demonstrates that the service being delivered is fully compliant to the contract and the gaps that exist are reflective of the isolation of the service from the wider business, the cost benefit of the MSS is quickly eroded by the ‘get well’ project required to fix it.
It’s all sounding a bit complicated
Avoiding the ‘let’s just outsource the problem away’ temptation is not easy. You would not use ChatGPT to understand how to negotiate the commercial contract for an MSS and how the MSS is held responsible for its delivery, you would consult a commercial lawyer. So why would you not consult a SOC Architect to define and articulate what is expected of an MSS, and how the MSS will interface with your organisation? Do you understand the threats that you expect the MSS to mitigate on your behalf, or are you asking for a service that is mis-aligned to your actual business needs?
More and more, we are seeing our customers seeking to be proactive in utilising outsourcing to deliver tailored results that integrate with their business. Our STARA® teams can help you understand your key cyber threats, define the business need for a SOC, and support your procurement process with SOC SMEs that can improve the outcomes of MSS outsourcing initiatives. And when this information can potentially also save you more in MSS expenditure than the cost of the STARA® team input, why wouldn’t you?