Outsourcing security isn't what it used to be, it used to be easy. Buy some security technology and find a vendor with the skills to manage it... But technology vendors had to go and make it easier to manage and deploy this stuff ourselves. So inevitably, it becomes harder to understand "What does your security provider actually do?". Throwing information at the consumer The first logical step for a provider is to take that 'easy to manage' technology and smother it in a provider flavoured sauce, so it feels like they are contributing something. However, in many cases this isn't adding anything, in some cases it makes it harder to get at the information. Take vulnerability management for example; historically, providers maintained a vulnerability scanner, then this became easier, so they started producing vulnerability reporting based on the technology. But this abstracted the user away from the technology itself and replaced it with a 300 page PDF. What buyers ended up with, was with some diluted version of a security technology, and not always diluted in the right way. Often the workload is still the same, just coming from a different direction or carrying a different stamp. One of the most common reasons for an organisation to re-tender their security service is; they simply feel the provider is chucking the information from the technology, over the fence at them, without adding anything. [caption id="attachment_110" align="aligncenter" width="455"] Chucking Alerts Over the Fence[/caption] Testing the value of a provider You can only test against what you asked for. So if you got an alerts regurgitation service, then that's what you likely asked for; whether you knew it or not. This tells us at Gartner that organisations don't pay enough attention to what they want the results to be, rather, what a technology provides or covers. Focusing less on the method of delivery and more on how the organisation consumes security is key. A common misconception is that "speed" = "better", this is the first area where we put pressure on providers. We do this for no other reason than its easy to measure and test. Another misconception is that "volume" = "value", without evaluating how much we are able to consume. Its impossible to measure value in security without first defining what would be valuable, when and in what quantities. This is like asking for breakfast, lunch and dinner to be delivered to your table in one go, not only can you not eat it all, but most of it is cold before you get to it. Knowing what you want.. Your security service provider will do as you ask, if you define your ask well enough. This doesn't mean you necessarily need to be a security expert, but recognising what is most important to your organisation. Consuming the right service is a combination of understanding your business risk; communicating or defining what would impact that risk; and knowing what you will do when you are told it is affected. Security services in the market place can be as simple as: managing a technology (e.g. SaaS SIEM, Managed-EDR), or sharing the responsibility for managing and operating a security platform (Co-Managed security) its most often the outsourcing of security operations that is the most contentious (MDR, Managed SOC). Don't fall at the first hurdle, diluting your own services by under-defining your needs or by not being prepared to consume what you are sent by a provider (see https://www.gartner.com/en/documents/3970821/what-makes-a-successful-security-services-rfp-). Hold your provider to their promises, engage regularly and develop the services as a partnership through their lifetime.