With a 38 percent rise in security incidents between 2014 and 2015 and a 26 percent increase in the cost per breach, organizations are under pressure to reduce risk. Unfortunately, hiring qualified staff to do that is becoming more difficult, with over 200,000 cybersecurity jobs going unfilled. It is no surprise that analysts are forecasting rapid growth in the use of managed security service providers (MSSPs).
If you are using these services now, or thinking about adding them, your success will hinge on strong communication.
Whether you are in early discussions with potential providers or managing a long-term relationship with a trusted partner, use this checklist to eliminate surprises, disappointments or gaps.
The Security Partner Common Ground Checklist
1. Speak the same language
- Avoid blanket terms: In your conversations with partners, and in contracts and documentation, are you clear on the kind of protection you need? Words like “secure” and “protect” have become so stretched, they’re useless in contracts or design discussions. Use words that relate to the characteristics you want to ensure. You can use the old-school themes of confidentiality, integrity, and availability, or reframe security needs in terms related to the services or product that you are trying to deliver.
- Clearly explain how your business works: Your partners must understand the functions they are asked to protect. For example, employee and customer data both require privacy, but the use of that data and its interconnectedness with other systems are vastly different. Walk your partners through the context of the systems they are defending so they apply themselves to the right issues.
- Watch your tone: Some organizations outsource their security out of a lack of interest as much as resources. Your sense of concern, responsibility, and priority establish the seriousness with which your partner will respond to issues.
2. Define roles, controls, and measures
- Determine what you think should be done: Prior to external discussions, create a plan for how you would approach the security project. What specific controls do you think are required, or what services and systems would you highlight? Translate this plan into qualifications that the provider can address in their proposal.
- Establish goals and metrics: Based on this planning, create a measurement methodology for the security service you acquire. It may be the number of security messages analyzed, applications assessed, or time to resolve issues. When done well, there should be few critical incidents that raise alarms to security, and these measures will keep the discussion fresh.
- Set a regular cadence for reviews: Needs and priorities evolve over time. Your plan must include reassessments for coverage, increased exposure, and expansions in the threat surface. Monthly reviews are appropriate for the metrics described earlier, and the overall program and scope should be revisited quarterly.
3. Plan for crisis
The ultimate test of these relationships is the combined response to a crisis. In the absence of planning, chaos, delay, and finger-pointing are very likely. Proper preparation will make this a much smoother event.
- Agree on what constitutes a security incident: The first step in crisis management is defining the conditions that mean you are having one. Different industries and organizations have different ideas on what constitutes an emergency, and clarity is needed to avoid false alarms.
- Establish roles and responsibilities: To eliminate gaps and duplication of effort once an event is in motion, assign responsibilities to provider and internal contacts. Key questions to address include: Is the service (or system) to be brought down? What are the correct answers to requests for information? How should the provider respond to law enforcement or media contacts?
- Set remediation expectations: Your security emergency may not be an emergency for your provider, particularly if they are large, or your relationship is small. Set expectations on timing and responsiveness in the event of an emergency, and ensure the contract will motivate the proper level of activity.
- Document your organization’s view of confidentiality: This should include details about disclosure of the relationship, provider employee agreements on confidentiality, and the service provider’s expectations. Make sure that all parties are clear on what can be said about the relationship and the impact.
With the exception of large organizations with experienced security staff, utilizing some amount of outsourced security services is a natural strategy for most organizations. By following the recommendations in this checklist, that relationship can start—and stay—a constructive one, with better security a natural result.