Your security operations center (SOC) is the central management and visibility hub for your cybersecurity operation. Your security team is seeing a continuous array of new tactics, techniques, and procedures from cyber threat actors. More so than usual, aided by emerging technologies like AI.
As cyber criminals develop more ingenious ways to infiltrate your perimeter, end points, and systems, CISOs are realizing that a narrow focus only on security as prevention is not enough. It may not be a coincidence that the Capturing the Cybersecurity Dividend report found only 51% of organizations believe their current security operating model is effective.
A recent survey of 500 U.S. based CISOs found support for deregulation is high, concern around AI-driven risk is growing, and traditional security approaches are giving way to resilience-first strategies. Evidence of this shift is that 83% of CISOs report that cyber resilience is more important than traditional cybersecurity measures, with 90% saying they’ve implemented a resilience strategy.
Adopting cyber resilience means gaining the ability and preparedness to anticipate, withstand, and recover from security incidents without disrupting the business and limiting the damage sustained to its finances and reputation. Resilience focuses on the need to balance risk management with business objectives and the inevitability of breaches.
With most mid-size and enterprise companies using managed security services providers (MSSPs) for at least some SOC services, they’re adjusting their expectations and requirements for these partnerships in line with their goal to build cyber resilience.
We wanted to gain more insight into what security leaders expect from managed SOC services—and where they’re frustrated—as they focus on resilience strategies. To do so we held conversations with leaders who had evaluated or switched MSSPs in the last 12 to 18 months across a range of industries.
First, we wanted to understand what wasn’t working with their MSSP relationships that put them at risk. Across these conversations, we identified areas of risk that security leaders seek to resolve in future MSSP partnerships as they pursue cyber resilience and strengthen their security maturity.
Lack of meaningful data.
“I asked for information to understand a situation, the data points they have available to share with me so I could learn what's going on in relation to issues with servers and other devices within our environment and the health of the systems. Their response is, uh, yeah, we don't have that data because there's issues. This creates a lack of oversight that puts us at risk.” CISO, Retail
Data residency issues.
“The MSSP’s model aggregates all my data outside of my environment causing hidden fees that I didn't plan for. Even if the service itself is low cost and high quality, those fees are a problem. Not just the cost but also performance-related issues by moving large volumes of data.” Director of Security Engineering, Financial Services
Inability to integrate sufficiently with our evolving tech stack.
“Our MSSP has limited visibility because they don’t have the expertise to fully integrate with one of our cloud environments. Therefore, my team often identifies events a full 24 hours before they do, if they do. While we added this environment after we contracted with them, their inability to step up puts us at higher risk.” Head of IT and Security, Healthcare
Time lag for one-off fixes.
“Fixing one-off things is expensive and that's where I see MSSPs stumbling. They aren't necessarily as willing to invest that time to clean up the one-offs. One-off management is important, especially when it supports a critical business process.” CISO, Financial Services
Ineffective security controls.
“Proving the effectiveness of a security control means knowing if it does what it's supposed to be doing. If it's supposed to be scanning for vulnerabilities, is it finding the vulnerabilities it's expected to find, or is it saying no, there are no vulnerabilities here when there are threats. That’s what creates a false sense of security.” Director of Security Engineering, Financial Services
Compliance failure.
“The MSSP was clearly not holding up their end of the bargain in terms of ensuring the environment was compliant. And when I say compliant, I mean when the agent reports on the EDR only show 125 devices, but I have 150, yet 10% of those devices have active exceptions. If those devices were compromised, would we really know about it?” CISO, Financial Services
Lack of follow through with vulnerability management.
“I see a lack of attention to vulnerability management. A lack of follow-through. It's like, well, we got 90% of them. Well, OK, but you got 10% of them that are 2 weeks or older. So, when do they get patched?” Head of IT and Security, Healthcare
While the above examples of how outsourcing SOC services frustrate security leaders and add risk, rather than minimizing it, there’s still hope. Given those experiences, we asked those security leaders to share with us what they wanted from a managed SOC services relationship.
Below are the top six elements extracted from those conversations.
Comprehensive monitoring, clear escalation, behavioral analytics, and rapid, action-oriented incident handling that reduces noise and focuses on truly critical events. Our interviewees concurred that ideal managed SOC services will maintain visibility across infrastructure, including cloud access, while effectively flagging and escalating security activities in a clear and timely manner.
When incidents occur, there should be continuous collaboration between parties for effective containment, evaluation, and remediation. After remediation, they wanted input and recommendations about what to improve to build further resilience before the next incident, including root cause analysis.
Most security leaders we spoke with emphasized that they were looking for a partner, not just a supplier. Many stated they think a SOC partner should be a strategic partner. The difference they cited is they're going to invest in you and want to feel a part of your team. Because you're winning together.
Security leaders expect optimized alert quality through the reduction of false positives and irrelevant notifications based on normal operations given. They agreed that an MSSP must invest the work to understand their environment, activity patterns, and their specific business context. MSSPs must conduct proper correlation and analysis to identify truly actionable events.
The experience of receiving alerts thrown over the wall without context or recommendations had our security leaders universally stating that responsibilities and handoff processes needed clear definition in the SLA. If an MSSP operates as an extension of its customers’ security team, the collaboration and familiarity also help create an informed, seamless process.
MSSPs that proactively guide customers towards emerging technologies and practices and help them validate their security architecture roadmap with best practices and guidance for more effective implementations are high on the list for the security leaders we talked to. They believe the external, objective perspective of the MSSP on architectural recommendations is valuable for gaining leadership buy-in within their organizations.
One interviewee gave an example of how they prove the value of cyber resilience for revenue growth by showing how their security protocols help their sales team sell 10% faster by reducing the contract security review time from 40 days to 2 days.
Validating this trend is a similar goal set by one of our newer customers for their security posture to help the company produce $10 million in new revenue.
If you’re interested in partnering with a different kind of MSSP to help you proactively shift from prevention to cyber resilience without losing momentum, we invite you to consider our Custom SOC managed services.
Finding the right managed security services provider to partner with you to strengthen your SOC operations—and your resilience—pays off by safeguarding the path to higher growth and innovation.