Your Security Operations Maturity – and Your MSSP

Contrary to what some people think, using MSSP is not just for losers low-maturity organizations and SMBs.

For sure, we do see a lot of MSSP usage by clients who “need some monitoring for compliance” or “have no team and no process, and want ‘security outsourced’” (the latter seems like a good indication for MSSP use, but in reality smells like MSSP FAIL in the making).

Still, with emergence of top-tier MDR providers who possess real experience dealing with advanced threats, we observed that tactical [=aimed at a very specific capability gap in client secops] MSSP / MDR use at higher maturity organizations is growing as well [here and everywhere on this blog, this refers to the maturity of security operations]

However, it is very clear that these are not the same MSSPs!


So, we now face a problem of matching MSSP/MDR providers to clients’ maturity. We hear from clients where their procurement people literally push them to a low-price MSSP even though they have a clear set of business requirements for an elite MDR.

In essence, MSSPs are NOT all the same, even if they say the same things in their glossies. “MSSPs baffle their buyers with complex or vague service descriptions,” as we say in a recent paper. Picking the one that fits your needs best is harder than most realize….

Care to share your MSSP or MDR horror stories (aka “learnings”) or perhaps your EPIC WIN stories?

Related blog posts from our MSSP research: