Working with MSSPs, the Good, the Tough, and What to Do Next

The Benefits

1. Operational Coverage Without Headcount Stress

A good MSSP extends your team's 24/7 detection, triage, and response capabilities without recruiting, training, and retaining five more analysts. For CISOs trying to do more with lean teams, this is gold. 

2. Instant Access to Niche Expertise

Many MSSPs bring specialized skills, such as threat hunting, compliance advisory, forensics, and OT/ICS coverage. As a CISO, I've leaned on MSSPs during audits, incident response, and cloud migrations, and I've avoided major headaches because of them. 

3. Better Signal, Less Noise

A mature MSSP doesn't just dump alerts into your inbox they tune your environment, correlate signals, and escalate what actually matters. That's where the value starts to show: reducing fatigue and making your internal team more effective.

 The Challenges (And They're Very Real) 

1. Control vs. Delegation

For CIOs and CISOs, working with an MSSP can feel like a loss of visibility and control. You need transparent governance: who owns detection? Who responds? How are decisions escalated? If this isn't locked down, you're building on sand.  

2. Communication Gaps

This one's big. I've seen excellent technical teams fall flat because they couldn't align with a client's business context. MSSPs need to speak the language of risk, not just logs and packets. Likewise, security leaders must set the tone for framing and communicating risk. 

3. Maturity Misalignment

Not all MSSPs are built the same. I've worked with partners who are still "figuring it out." There are no real processes; I am just reselling tech. Others were true partners with playbooks, real-time dashboards, and staff who felt like an extension of my team. The difference is night and day.

 So What Should You Do Next?

Here's what I tell security leaders and MSSPs when we talk strategy:

1. Run a Capability Gap Assessment

For CISOs/CIOs: What does your team do well? Where are you thin? Use that to define the scope of MSSP support.

For MSSPs: Where do you shine? Where do you fall short? Be honest don't try to be everything to everyone.

 2. Get Tactical on SLAs and Escalation Paths

Don't stop at "we provide 24/7 monitoring." Get clear on what that means. What's the timeline for triage? Who gets called at 2 a.m.? I've seen a lot of frustration avoided by simply tightening up these operational agreements.

 3. Pilot Before You Commit

If you're a CISO, start with a controlled, measurable engagement. Can this MSSP detect and respond in your environment with minimal friction?

If you're an MSSP, offer this up-front  prove your value fast. It builds trust and gives both sides a realistic view of what's working.

 Final Thought

When done right, the MSSP model creates real leverage especially in today's threat landscape. But it's a relationship, not a product. Whether buying or delivering MSSP services, success comes down to alignment, clarity, and execution.

 Please contact me if you're evaluating (or delivering) MSSP services and want to exchange ideas. I love to unpack this kind of challenge. 

FAQ’s

1. How do I measure MSSP performance over time?

To truly evaluate your MSSP, you need to track a mix of operational, tactical, and strategic metrics. Here are a few I recommend:

🔹 Core KPIs:

• MTTD (Mean Time to Detect) – How fast are they identifying threats?
• MTTR (Mean Time to Respond) – How quickly are they escalating and responding?
• False Positive Rate – Are you drowning in noise, or getting quality alerts?
• SLA Adherence – Are they hitting response and escalation time commitments?
• Reporting Quality – Are reports timely, relevant, and actionable?

🔹 Bonus: Strategic Indicators

• Has your internal team gained bandwidth?
• Are you seeing improved audit/compliance scores?
• Is leadership more confident in your security posture?

Pro tip: Build a quarterly MSSP review cadence with scorecards not just dashboards. Include metrics and qualitative feedback.

2. How do MSSPs integrate with in-house tools and workflows?

This is where a lot of friction happens or magic, if done right.

Key areas to align:

• SIEM integration: Are they using yours (e.g., Splunk, Sentinel, QRadar) or bringing their own?
• Ticketing systems: Will alerts and cases flow into your ServiceNow, Jira, or whatever tool your team lives in?
• IR workflows: Do they follow your playbooks or theirs? Can they initiate containment, or do they wait for your green light?
• Change management: Are they looped into ITSM processes to avoid disrupting operations?

🔧 Advice for CISOs: During onboarding, walk through actual scenarios (like a suspected ransomware event) and map out who does what, using what tools. 🧩 Advice for MSSPs: Offer integration guides and build a repeatable playbook for client tool stacks.

3. What should a mature MSSP onboarding process look like?

If onboarding feels like an afterthought, run.

A mature MSSP should have a structured and repeatable onboarding process that typically includes:

✅ Kickoff and Stakeholder Alignment

• Clarify goals, define success, align on roles
• Exchange escalation paths, contact lists, documentation access

✅ Technical Discovery and Asset Inventory

• Understanding your network, endpoints, cloud workloads, critical apps
• Log sources: firewalls, EDR, servers, cloud, etc.

✅ Baseline Configuration and Tuning

• Alert tuning, correlation rules, suppression logic
• Tuning should be a living process, not one-and-done

✅ Tabletop Exercises

• Validate playbooks in a safe environment
• Align on communication workflows in real-world situations

💡 Red flags: A vague onboarding plan, limited customization, or no upfront detection tuning.

4. How do MSSPs handle compliance and regulatory alignment?

It varies, but mature MSSPs can be a strategic compliance ally not just a security partner.

Services MSSPs might offer:

• Log retention and audit-ready reports for frameworks like HIPAA, PCI-DSS, SOX, and CMMC
• Security event correlation across compliance-relevant systems (e.g., tracking access to ePHI or cardholder data)
• Policy support: Some provide templates or consult on incident response plans, access control, etc.
• Gap analysis or readiness assessments for regulatory frameworks

🎯 CIO/CISO tip: Ask your MSSP which compliance frameworks they’ve worked with — and request specific examples of how they supported previous audits or readiness efforts.

 5. What’s the real cost and how do I justify it to leadership?

Ah yes, the million-dollar question or more like the $10k to $50k/month question, depending on scope.

MSSP pricing models vary, but common ones include:

• Per user/device – Straightforward but can balloon with company growth
• Tiered packages – Based on service levels (e.g., detection-only vs. full MDR)
• Log ingestion or EPS-based – If they manage your SIEM
• Custom flat-rate – For full-stack coverage across multiple services

Making the Business Case

• Compare to the cost of building and staffing an internal SOC (avg. $1.5M+ per year)
• Emphasize risk reduction: lower dwell time, better response, fewer breaches
• Highlight board-friendly outcomes: audit readiness, improved cyber insurance posture, reduced risk to revenue and reputation

📈 Pro tip: Put MSSP costs in the context of avoided costs breach recovery, downtime, regulatory fines.