Data Visibility and Management When Selecting or Working with an MSSP

December 9, 2020
|
co-authored by Marc von Mandel
|
3 min read

Hybrid and multicloud solutions have created and will continue to offer great benefits for businesses. However, this means security experts will need to pay even more attention to the cloud as we move into the next several decades. Data visibility and management are key elements to watch when working with a managed security service provider (MSSP).

Future Security Operational and Compliance Priorities

A recent IDC Survey, Security Operational Priorities in 2020, found that for IT and security experts, access management and compliance are the two most important topics in 2020 and beyond.

As more and more employers move to the cloud and more people work from home, they also deploy new cloud services. This can introduce gaps in data security, data privacy and data residency. At the same time, these entities face new data protection rules. National laws focus on data origin, transfers and storage more and more.

Some groups are expressing concerns over data residency, which in turn is fueling strong demand for managed security service providers (MSSP) that are able to deliver their global processes and services in a regional model. What should companies review for data visibility and management working with an MSSP? Here, find some insights into how an enterprise might approach this choice.

Data Visibility and Management Can Vary by Country

Data privacy laws can vary from country to country. They can even have different meanings within each nation-state for how personal data is stored, shared and managed. The penalty for poorly handling data within different nations varies widely. But in any case, the impacts can be severe — from intense audits to high fines.

Data residency is a newer term, emerging over the last couple of years. It focuses most on the origin or national residence of the data. It comes from the rise of national rules about how companies collect, process and transfer the data of a country’s citizens.

An MSSP can handle complex data defense, privacy and residency concerns related to compliance. Businesses on their own may have strong data security controls but lack the controls to meet local compliance and privacy rules. Keeping an eye on and managing this aspect of data can take a long time and be too expensive. Therefore, many groups use a third-party MSSP to complete regular audits of their data.

Selecting an MSSP? Know Before You Go

Groups that outsource their data security and privacy needs should review the following with their MSSP. Focus on key data residency, security and privacy challenges.

  1. Where are the delivery centers located? Many current MSSPs can provide 24/7 support, but they lack the robust and proven processes, combined with formal security operations centers (SOCs), to support business needs around protection and residency. Ask your current or future provider where their centers are located.
  2. How is data protected within the regional SOC landscape? Next, review and understand what proven and tested controls the delivery center has to handle the stringent data privacy needs. Ask questions about how the provider inventories data assets. How does the SOC restrict access to sensitive data? Does it deploy zero trust strategies to limit access? How does it monitor and manage data storage and transfer?
  3. What auditing processes does the provider have for compliance? For mature projects, audits confirm rigorous processes and controls are in place. As you take a look at local MSSPs or your current one, ask to review how often and with which tools the provider conducts compliance audits. Do they complete the audit through the lens of various industry standards, such as the PCI DSS, ISO 27001 and SOC 2 Type II? Also, understand how the MSSP handles and resolves issues that have come up in past audits. Are they quickly solving problems and recording the changes they’ve made?

Use of MSSPs Becoming More Common

The work that needs to be done to answer the questions above can be daunting. A shortage of industry experts can make it more complex and risky to address these challenges. Entities of all sizes now face these same challenges. This is driving more MSSP outsourcing that can fully manage the data life cycle, simplify critical data controls and handle and resolve audits.

IBM Security Opens Kingdom of Saudi Arabia SOC

The Kingdom of Saudi Arabia’s (KSA) laws cover data privacy rights in accordance with the National Cybersecurity Authority-issued controls and standards. In general, the data within the country must be safeguarded and cannot be confiscated, delayed or breached. Over the course of 2020, IBM Security has made major investments into its SOC located in Riyadh. Our Middle East and Africa (MEA) customers also benefit from the global processes and procedures found across our six other SOCs.

Our team is aligned with fostering talent locally in KSA, including in-depth training, early hiring, and a commitment to hiring women (over half of our current KSA SOC analysts identify as female).

Check out the report excerpt from the IDC MarketScape for Worldwide Managed Security Services for more detailed coverage of our strengths and capabilities in serving clients around the world. Download a complimentary copy of the IDC MarketScape: Worldwide MSS Vendor Assessment.

Spencer Ingram
Vice president, global managed security services (MSS), IBM Security

Spencer Ingram is Vice president, global managed security services (MSS) within IBM Security. Spencer leads market-leading delivery capabilities within multi...
read more