How aligned to reality is the cybersecurity reporting provided by your managed security service provider?  Organizations are at a much greater risk when they lack insight into their actual cybersecurity performance. 

As a CISO of a major healthcare system, you’re always looking for cost-effective ways to improve the organization’s security posture while supporting quality-of-care initiatives. One growing response is to outsource a portion, or all of your cybersecurity needs to a managed service provider. Perhaps you are considering this option. You may already have a provider in place, possibly inherited through your predecessor. It’s possible you have found a specific provider through your own research or received a strong recommendation from your boss or board of directors. In any case, it’s rare to find a managed security provider that meets all your expectations. One that’s not too expensive and delivers on their value proposition, and, believe it or not, provides you timely, accurate, and meaningful reporting so you can truly understand the reality of your security posture and what improvements are needed.   

Finding oneself at odds with their managed security provider is a far too common occurrence. The short honeymoon period may include status reports detailing a flurry of activity from the vendor with metrics of vulnerability scanning and remediation tasks – life is good. Months later, the reports seem to be heading in the right direction with metrics like “12,000 assets scanned this month” and “214 critical vulnerabilities remediated” but something isn’t quite right because you know you have over 17,000 scannable assets.

During the monthly vendor review meeting, you remind the provider that your hospital has thousands of un-scanned assets they need to account for, resolve, and report as scanned. Furthermore, the vendor has yet to explain which specific assets are being scanned so it’s possible that critical servers have never been scanned or patched. For all you know there could be critical vulnerabilities on your public facing web servers.    

The vendor assures you they will refine their reporting and provide the requested information, but this will take time and is above and beyond the negotiated contract. New data starts to trickle in slowly, but you are skeptical about how it’s collected and correlated. You ask to see the underlying data and are told “it’s not available” or receive operator-level spreadsheets that must be deciphered and raise more questions. After a few months, you realize none of this is helping your organization protect patient data and maintain the hospital’s stellar reputation. You’re not getting the visibility needed to effectively manage risk.

Ideally, this type of scenario would be avoided by taking time up front to clearly define contract terms and mutually understand the service level agreement (SLA) benchmarks for the managed service. Jesse Dean, Senior Director of Solutions at TDI, recommends designing and framing these SLA’s to align with your specific Cybersecurity Performance Improvement (CPI)TM objectives. For example, if an organization is going to rely on outsourced vulnerability management, a couple easy benchmarks to monitor might be:

  • Average age of critical vulnerabilities on the network
  • Percentage of known IT assets scanned over the last 30 days

Just these two alone can offer significant insight into the effectiveness and performance of your outsourced vulnerability scanning and management program.

If you are stuck in a bad contract – keep the pressure on your provider by demanding more meaningful cybersecurity performance metrics and cut ties as soon as you can. No one wins when security reporting is incongruent of reality.

“Great CISO’s have visibility,” said Dean. “Having visibility is paramount in understanding your true risk. From there you know where you stand and can implement any needed changes and quickly monitor effectiveness as you drive a more robust, defensible, and mature security program.”