It’s a fact: it’s getting more and more difficult to recruit and retain experienced cybersecurity talents.
Such shortage in cybersecurity talents and budget fosters more and more subscription to creative, efficient and disruptive cybersecurity cloud services (so called « MSSPs« ).
However, in order to do so, companies need to establish true partnerships and avoid opportunist short time contracts with their vendors. This is completely different from DIY (Do It Yourself) « on-prem » cybersecurity: it requires to trust in partners, share enough information upfront with them (including some details on their strategy), rely on their skills and experience and how they’re used to operate their solutions with other customers, instead of asking them to « only » execute… It’s more a « team » strategy than a « make » one. In a nutshell, if you don’t trust your critical partners, get rid of them…
All of the above is a complete cultural change!
For instance, CISOs need to stop hunting for a fully customized service, but rather influence their vendors’ strategy to ensure its alignment with their future needs.
In turn, to do so, they must share and anticipate their needs and concerns with the main / largest customers of their selected partner, attend its Customer Advisory Boards (invest enough time into that, at least for critical partners), etc… When common needs are identified and cannot be fulfilled by existing products, workarounds and solutions must be identified, along with proper ETAs for each milestone (to avoid the so-called « tunnel effect ») according to the urgency to get them available. I recommend using nice KANBANs or Trello boards to do so!
But then comes the need to make sure that these ETAs match the sprint cycles that are already planned by the vendor… Partners should avoid overselling super short deadlines that will never be met, while avoiding to postpone enhancements to a far future as well!
Also, while the cost of DIY is pretty stable after go-live, its alignment with business requirements and cybersecurity standards is usually quickly fading away… A well established partnership with an MSSP should bring the opposite: very careful finops management (which is a new activity for most CISOs) enabling a sustainable and agile growth of the cybersecurity service… The graal for most CISOs !
Hence, come and join CIX-A association, and you’ll meet and exchange freely with your peers (CISOs and their teams), better understand their common concerns and strategies and how to establish and keep the best relationship with your MSSPs!
Olivier DALOY, odaloy@gmail.com