Regain Control: How CISOs Build Cyber Resilience with MSSPs

For CISOs at mid-size and enterprise companies, partnering with a Managed Security Service Provider (MSSP) for Managed Detection and Response (MDR) and Security Operations Center (SOC) operations is a strategic move toward achieving cyber resilience. This means more than just security; it's about an organization's ability to withstand, respond to, and recover from cyber threats with minimal disruption.

Simply outsourcing security operations doesn't guarantee resilience. Insights from security leaders we spoke with who had MSSP partnerships reveal a consistent, critical theme: the necessity of keeping control. 

This isn't about micromanaging the MSSP. It's about ensuring the MSSP acts as a true extension of your security team. Deeply integrating them into your overall cyber resilience strategy is the goal versus the MSSP operating as an isolated "black box."

Six Areas of Control Help CISOs Build Smart MSSP Partnerships

Let's explore what "control" truly means in this context and how each area contributes to your cyber resilience goals using the insights from our conversations with security leaders.

Defining the Lines: Control Over Service Scope and Responsibilities

Clear roles and responsibilities are the bedrock of efficient incident response and recovery. Ambiguity in these areas can cause critical delays, leading to extended downtime and greater impact during a security incident. When everyone, including the MSSP's team, knows their part, your organization can recover faster and more effectively, bolstering cyber resilience.

Security leaders emphasize the need to:

• Detail specific response activities: Precisely define who, between your internal team and the MSSP, manages what during an incident. This includes every step from initial alert to full resolution.
• Clarify shared service models: Explicitly define handoffs and responsibilities, whether it's L1, L2, or L3 triage, incident response, patching, or vulnerability management. For example, if your MSSP manages L1/L2 triage, how quickly do they escalate to your internal L3 team for critical incidents?
• Prevent throwing alerts that lack context “over the wall": Without this clarity, critical security tasks can fall through the cracks and hinder your ability to respond effectively.
• Manage communication flows: Set clear expectations for communication and follow-up. During an incident, prompt and accurate communication from the MSSP is vital for maintaining business continuity and managing executive expectations.

A well-defined Statement of Work (SOW) with explicit roles and responsibilities is your primary tool for ensuring seamless security operations. It also prompts swift recovery when an incident strikes, directly contributing to your cyber resilience.

A security leader says:

“Cost, value, and performance are important. With our last MSSP we were a little loosey goosey on KPIs to start the engagement. They put together quarterly reviews, and my directors worked daily with them, but from the executive standpoint they were faltering on some KPI's. The trend was going in the wrong direction, so we needed a little bit more accountability…” CISO, Consumer Packaged Goods

Owning Your Assets: Control Over the Security Platform, Data, and Intellectual Property

Your security platform, the data it collects, and the intellectual property (IP) developed on it are foundational to your long-term security posture and ability to adapt. Losing control over these assets can severely impair your forensic capabilities, complicate vendor transitions, and impede your continuous improvement cycle for resilience.

CISOs now prioritize partners who provide:

• Full platform access: You must be able to inspect alerts, validate decisions, and monitor your environment in real time. This transparency is crucial for validating the MSSP’s work, understanding alert contexts, and independently assessing your security posture.
• Data residency and control: Ideally, security data should reside within your own environment. This minimizes data gravity issues, simplifies compliance, and ensures you keep full control over your security telemetry for investigations and post-incident analysis, enhancing resilience.
• Ownership of rules and configurations: If the MSSP relationship ends, you must own all intellectual property developed during the engagement, including custom rules, playbooks, and configurations. Imagine losing all the finely tuned detection logic built over the years. 
• Integration with your cyber data mesh: Bringing security data into your cyber data mesh provides a centralized, controlled environment for analysis, correlation, and long-term storage. This expands your visibility and control over your data.

Insist on transparency and clear ownership clauses in your contract. Your data and the configurations built to protect your environment are crucial for supporting an adaptable and resilient security program.

Why it matters:

“…we also have the data coming into our own cyber data mesh now, which is a big deal in cyber shops now. You want your MSSP to be cognizant of what they're feeding to the SIEM because it's so expensive to get data in there. You pay for the data. So, if you can weed out the noise then you can reduce costs dramatically.” CISO, Manufacturing

Trust, But Verify: Control Over MSSP Access and Activities

You grant your MSSP privileged access, making them an extension of your internal security team. Without controls over their access and activities, they can become a significant risk vector. Ensuring their operations are secure and auditable helps prevent new vulnerabilities or potential breaches that undermine your resilience.

Expectations include:

• Comprehensive access logs and documentation: Detailed logs are crucial for audit trails, incident investigations, and ensuring compliance, all of which support rapid recovery.
• Adherence to change management processes: MSSPs must follow your change management protocols. Unauthorized or poorly managed changes can introduce vulnerabilities or disrupt critical systems, directly affecting resilience.
• Transparency with subcontractors: If your MSSP uses subcontractors, you need to understand how they manage the security and access for those third parties. Your supply chain resilience is only as strong as its weakest link.

Treat your MSSP's access with the same rigor as your internal teams. Demand strong security controls and complete auditability to reduce risk and strengthen your cyber resilience.

A security leader cautions:

“Are they able to provide a log that shows every time they've accessed our environment? Do they document what they did during the time that they accessed our environment? Because that's something we see. That the MSSP will just log in and do things and not let anybody know about it. Then you find out later whenever there's a problem.” CISO, Financial Services

Measuring Success: Control Over Performance and Quality

You measure effective security operations by their ability to detect threats quickly, respond efficiently, and minimize impact. Without clear metrics and accountability, you can't assess your MSSP's contribution to your cyber resilience, nor can you drive the continuous improvement needed to stay ahead of evolving threats.

This involves:

• Robust KPIs and SLAs: Clearly defined Key Performance Indicators (KPIs) and Service Level Agreements (SLAs) are vital for measuring your MSSP's effectiveness. These should align with your resilience goals, focusing on detection, response, and recovery metrics.
• Consequences for SLA breaches: Failing to meet SLAs should have tangible consequences, whether monetary penalties or service credits. This incentivizes the MSSP to prioritize your resilience goals.
• Meaningful data and reporting: Demand regular, comprehensive reporting (weekly, monthly, quarterly) that includes key metrics like true positives/false positives, Mean Time to Detect (MTTD), and Mean Time to Respond (MTTR). You should also move beyond these standard metrics to more insightful ones, including Security Rule ROI, False Positive Ratios, Resolved on First Touch, and MITRE ATT&CK coverage. You need this level of data to oversee service quality and identify areas for improvement in your security posture.

What you measure gets managed. Ensure your contract includes performance metrics and clear reporting mechanisms that directly tie to your cyber resilience goals.

Why it matters:

“With our last MSSP, it was impossible to get any meaningful data around true positives versus false positives, meantime to detect and remediate, any meaningful data out of the service. They were also doing tech maintenance. But it was impossible to get data on what they were doing, how much work or effort they put in, and what kind of improvements they delivered. It was completely non-transparent.” Director of Security Engineering, Financial Services

Strategic Engagement: Control Over Response Actions

While you want your MSSP to act decisively, keeping ultimate control over high-impact response actions is crucial for minimizing business disruption and ensuring alignment with your organizational risk tolerance. Automated responses are powerful, but for critical actions, a human-in-the-loop can prevent unintended consequences and ensure alignment with your incident response plan for recovery.

Consider:

• Immediate action capability: Your MSSP should be capable of taking immediate containment actions, such as isolating a device or blocking an IP, rather than just sending an alert. Rapid containment is a cornerstone of cyber resilience.
• Human-in-the-loop for critical actions: For high-impact actions like system shutdowns, many CISOs prefer a human in the loop. This requires alerts and explicit approval before automated resolution proceeds. 

Strike a pragmatic balance between automated response and human oversight. Define clear escalation paths and approval processes for critical actions to manage risk and ensure swift, yet controlled, recovery.

One security leader’s frustration:

“[The existing MSSP] was inflexible and opaque in terms of the rules they have, the way they ingest and interact. We sent off stuff to them and it was like a black box. So, the internal team couldn't really collaborate with them in a meaningful way.” Senior Security Engineering Manager, Global Energy Company

A True Partnership: Control Over the Relationship

Your MSSP partnership is a long-term commitment critical to your security posture. A strong, transparent relationship fosters trust and collaboration, allowing both parties to work effectively toward shared resilience goals. Conflicts or a lack of transparency can hinder adaptability and responsiveness in the face of new threats.

This means:

• Clear commitment to your success: Seek partners who show a genuine commitment to your specific resilience goals, understand your unique business context and risk appetite.
• Communication, responsiveness, and transparency: Value vendors whose staff, from analysts to leadership, are consistently communicative, responsive, and transparent. Open lines of communication are vital for adapting to new threats and improving your collective resilience.
• Meaningful strategic conversations: It’s one thing to have strong metrics and KPIs, it’s another to explore their strategic implications to your cybersecurity roadmap and resilience strategy. Quarterly Business Reviews (QBRs) to discuss progress, wins, and concerns helps solidify alignment. An MSSP with a customer assurance program works collaboratively to ensure your expectations are met and translate security programs and outcomes into business impact to help you show the value of security operations to your board and executive team.
• Avoiding leverage: Build a true partnership on mutual respect. Conflicts arise when vendors try to use their position to exert undue leverage, which can derail collaborative efforts toward security maturity.

View your MSSP as a strategic partner in your cyber resilience journey. Foster a collaborative environment built on clear communication, shared goals, an evolving strategic relationship, and mutual respect to maximize the value of the partnership.

What to look for:

“It's not just about an MSSP presenting all these great tools and features and giving you a good deal. That lasts for a few months and then what? What about long term? Part of the evaluation is to show me how you’ll help us build a long-term, working relationship. How do you invest in that? It's not just about periodic meetings. What about process engineering and how do you handle escalation? What are the other responsibilities of the vendor versus the customer? Many vendors don't pass that test very well, just in my experience.” Head of IT and Security, Financial Services

Control Enables Cyber Resilience

For CISOs, "control" in MSSP partnerships translates directly into enhanced cyber resilience. It's about maintaining visibility, ownership, defined responsibilities, influence over actions, and oversight over your security operations, technology, data, and the service relationship. 

This ensures your MSSP acts as a controlled, effective extension of your security team, supporting your organization's ability to not just protect, but also rapidly detect, respond to, and recover from cyber threats.