An Open Relationship: Maximizing Value in Security Operations

Like most third-party services, effectively integrating services from a managed security services provider (MSSP) can enhance the value of your organization’s security program. Conversely, poor integration and/or a lack of effective governance can marginalize the effectiveness of your organization’s security operations.

In a well-executed partnership, an MSSP is simply viewed as an extension of the information security organization. An MSSP’s contribution to a security operation depends upon how effectively the partnership is built and maintained.

If you currently rely on a third-party MSSP or are considering engaging one to enable your security operations capability, consider how responsibility for the following functions is distributed and/or shared between the internal (your organization) and external (MSSP) sources:

  • Rule and device administration and management;
  • Security intelligence;
  • Incident/event hunting;
  • Threat monitoring;
  • Threat analysis/impact analysis;
  • Threat triage/investigations;
  • Threat response/incident management; and
  • Emergency response (computer security incident response plan).

Often, organizations will mistakenly expect the MSSP to handle all or most of these functions without their staff being directly involved. Unless the MSSP has agreed to a full-labor-based outsourcing model and fully understands your policies, risk tolerance and executive team preferences on incident handling, it is impractical to expect a third-party MSSP to deliver these functions without your involvement.

In order to effectively plan and design a new process, it is advised to do an integrated design with your MSSP at the beginning of the contact period. One approach for up-front design is to charter a security operations optimization initiative to design the new process and approach.

Managing Security Operations

Structured governance is critical for maximizing the MSSP service’s effectiveness. One mechanism for service management governance includes the availability of a named service manager.

MSSP services typically manage and monitor an environment using centralized shared services (often referred to as a centralized security operations center). As such, much of the day-to-day operational interaction occurs via electronic tickets. In many cases, these tickets are handled by shared resources based upon a skill category and time of day and are not based upon extensive familiarity of a specific customer’s environment.

To maximize success in integrating the service and governing delivery elements, organizations will benefit from regularly communicating with a named service manager. Additionally, the organization and the MSSP can work together to structure a governance plan, which may include regularly scheduled service reviews.

Effective results from investing in an MSSP do not occur on autopilot. Results occur from the mutual efforts of your organization and the MSSP. The process and service management governance are two key elements for success, and effectively integrating the MSSP into an operation’s process is imperative to realizing the value from the relationship.


This article is a four-part series that covers various topics around the value of MSSP relationships, such as integration and governance, threat response process, knowledge of environment and tuning and health. The first part of the series discusses integration and governance. The next blog in the series will discuss the threat response process.

More from Security Services

How a new wave of deepfake-driven cyber crime targets businesses

5 min read - As deepfake attacks on businesses dominate news headlines, detection experts are gathering valuable insights into how these attacks came into being and the vulnerabilities they exploit. Between 2023 and 2024, frequent phishing and social engineering campaigns led to account hijacking and theft of assets and data, identity theft, and reputational damage to businesses across industries. Call centers of major banks and financial institutions are now overwhelmed by an onslaught of deepfake calls using voice cloning technology in efforts to break…

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today