Industry insights

Security in Action Framework: Determine if an MSSP is a good fit for you

January 14, 2022 by J.R. Cunningham

Security frameworks such as the NIST Cybersecurity Framework, Center for Internet Security (CIS) Critical Security Controls or PCI DSS exist to help security professionals identify and implement controls. The frameworks also provide “check the box” tracking for elements an organization should consider in building its security program.

For example:

  • The NIST Framework organizes basic cybersecurity functions: Identify, Protect, Detect, Respond and Recover. A profile helps to align the functions, categories and subcategories associated with each cybersecurity function. Implementation tiers allow organizations to explore risk management practices.
  • The CIS presents 18 controls, including “inventory and control of enterprise assets” and “data protection.” The overview of data protection reads: Develop processes and technical controls to identify, classify, securely handle, retain and dispose of data. 
  • PCI DSS exists to protect credit cardholder data with 12 prescriptive requirements including “install and maintain a firewall configuration to protect cardholder data” and “protect stored cardholder data.” 

While the frameworks include discrete components, all lack two critical elements: (1) customization based on specific client goals, existing technology and services, and industry needs; and (2) continuous improvement of a security program over time. Interpretation and implementation are typically a “from-scratch” effort that is largely “do it yourself” (DIY).

An interactive and customizable framework

The ideal framework allows setup based on your industry, technology, infrastructure, staff, expertise and other variables. Your expectations, requirements, threat landscape, risk profile and security maturity goals matter a lot to security outcomes. And, you should be able to emphasize or de-emphasize certain framework elements depending on your organizational current state, goals and industry. 

The Security in Action Framework is interactive and customizable. It’s built on a consultative model, so it fits your organization. Read on to learn about the eight steps of a Security in Action Framework — and the best approach to working with a managed security services provider (MSSP) to achieve better security and business outcomes.

The Security in Action Framework

Services and technologies evolve and so do frameworks. Security in Action reflects next-generation thinking about how to set up and manage your security program.

1. Discover

Thorough, complete discovery and onboarding may be the most important influence on outcomes. A consultative, collaborative process sets the stage for all that follows. Discovery is a great opportunity to be accurate and precise in capturing relevant business objectives, risk factors and security goals — and to clarify your threat landscape and implement the right controls and communications. Additionally, the process:

  • Sets the tone and expectations for the service provider
  • Helps you build a security program that combines what is known about your organization, such as goals and existing technology and services, with industry and cybersecurity intelligence
  • Builds trust in data from many sources to create a safer environment with appropriate security controls

When the analytics data of global threat traffic is combined with threat modeling, you learn which threats are most relevant to your industry and which aspects of your security program to prioritize. Go further with your provider to customize your experience, including where you are in areas of control. Customization enhances your program: 

  • Select a persona and industry
  • Specify your current technology, staff, domains, controls and more
  • Select a goal that describes where you want to be in the future

The resulting roadmap shows where to spend your next dollar.

2. Focus

Apply discovery findings to prioritize threats and mitigation efforts based on greatest risk — a direct way to reduce overall organizational risk and pinpoint where to optimize your valuable resources. Gain greater clarity:

  • Create a roadmap prioritized by findings for technology and services
  • Receive recommendations from cybersecurity experts
  • View, keep tabs on and manage your roadmap (and ultimately your entire security program)

3. Prepare

Maximize threat visibility, close high-risk gaps, eliminate overlaps and/or add required security controls:

  • Collaborate on architecture and solution designs
  • Create a security runbook in collaboration with a provider’s security implementation team (SIT), security operations center (SOC) and network operations center (NOC) teams to make sure you are on the same page with prioritization
  • Customize your needed services and technology priorities

4. Monitor/manage

Monitor and proactively manage your IT environment 24x7x365 with the aid of MSSP resources such as SOCs and NOCs:

  • Eliminate swiveling among multiple screens to get as close as you can to operating with a single point of view
  • Acquire services that align to what you have already and where you need to be
  • Keep track of your entire security program progress including tickets, potential threats, services and technology 

5. Notify

Communicate based on the alerts and processes set up during onboarding:

  • Reduce false positive alerts
  • Receive threat alerts and detailed information about what to do next
  • Receive instructions for further actions if they are required

6. Contain

Get the help you need to contain threats and mitigate potential damage: 

  • Receive assistance from dedicated experts such as a provider’s SIT, SOC and NOC resources
  • Work with a certified security incident response team (SIRT) to expedite containment
  • Minimize business disruption with automated response options

7. Mitigate

Experience proactive response management:

  • Respond to threats 24x7x365
  • Remove threats using manual or automated methods
  • Return to steady state as quickly as possible

8. Maintain/evolve

Assess and improve your security posture continuously:

  • Make decisions based on metrics and ongoing threat modeling
  • Participate in regular security reviews
  • Adjust your security program and controls to keep up with the changing threat landscape and business/industry requirements

Think cybersecurity bookends 

All MSSPs should offer certain Security in Action steps: Discover, Focus, Prepare and Maintain/Evolve. Why? Because the initial steps start the “bookends” that cover proper customization and onboarding, setting you up for success with your managed security services. The Maintain/Evolve step closes the loop by supporting continuous improvement. Unfortunately, not all MSSPs think this way.

Most MSSPs cover the middle steps: Monitor/Manage, Notify, Contain and Mitigate. These are largely SOC-based services that can be outsourced either fully or partially. However, few providers think in terms of the best setup and outcomes at the beginning of and throughout the client lifecycle.

Achieve better security and business outcomes

The Security in Action Framework adds the crucial areas missing from other frameworks: customization and continuous improvement. All eight steps work together to improve both day-to-day operations and your cyber resilience (be ready for anything). Integrated steps also make it easier to balance the human intelligence, technology and processes your organization needs.

Efficient, effective managed security services are individualized for each organization and take into account industry-specific nuances. When you evaluate MSSPs, map their approach and capabilities to the Security in Action Framework. Then you can determine if a MSSP delivers the right service that allows your organization to improve security and business outcomes.

Posted: January 14, 2022
Author
J.R. Cunningham
View Profile

An accomplished leader, innovator and premier thinker in cybersecurity and risk management with a proven track record of success, J.R. Cunningham has performed executive consulting, architecture and assessment work across the globe and in a wide variety of industries, including manufacturing, insurance, healthcare, education, intelligence community, retail and government. Prior to joining Nuspire, J.R. built and led industry-respected executive consulting practices for Optiv & Herjavec Group. J.R. is known throughout the industry as an evangelist of practical and business-aligned security techniques. Prior to his work in security and risk, J.R. directed technology operations at MarketWatch.com, one of the world’s most visited websites.

Leave a Reply

Your email address will not be published.