Since their birth in the 1990s, managed services security providers (MSSP) have come a long way, and are expected to grow to a $40 billion business globally by 2022.

But in my work, I see every day how these businesses need to go further to keep up with the volume, variety and velocity of security threats we face in the digital age. MSSPs can fall short with everything from complex and costly onboarding processes, to gaps in their services that actually increase the customer’s security spending. Others make security challenges worse by bombarding customers with alerts but no guidance about which threats are most serious and how to fight them.  

In order to fully meet today’s security needs, here are nine “must-haves” for business leaders to look for when selecting a next-gen MSSP:

  1. Automated environment profiling. Twenty years ago, businesses might have had a “crunchy exterior” of firewalls and DMZs protecting their on-premise systems from the Big Bad Internet. With today’s virtual, cloud environments spanning continents, however, organizations need reliable, fast and secure access to partners and devices anywhere in the world.

•  What to look for: A real-time profiling capability that finds every asset (both hardware and software) as it joins the network and assesses its criticality so it can be properly managed and protected.


  1. Reuse of existing security controls. In the past, with only an on-premise environment and monolithic applications to protect, businesses could get by with a single set of security controls that (hopefully) they updated several times a year. Today, no one can afford the cost and delay of reinventing the security wheel for each new cloud environment and application service. 

• What to look for: The ability to reuse existing security policies and controls across multiple clouds and application architectures. The resulting consistency improves everything from security to reliability to security audit performance. It also avoids the cost, delay and pain of getting all stakeholders on one page about security.


  1. 24/7 incident response. In the past, it was enough for an MSSP to alert customers to a problem and leave it to them to solve it. Today’s enterprises can’t wait that long to fix the problem and may not have the staff or budget to fix it themselves. 

• What to look for: Not just notification of an issue but the ability to fix the problem remotely or dispatch a team to the business site.


  1. Analysis and correlation. Twenty years ago, MSSPs used homegrown log collection and correlation engines coupled with third-party services. While adequate (sometimes), they couldn’t show the whole range of threats, much less provide guidance on which to prioritize and how to fight them most effectively.

• What to look for: Collection and analysis of data from in-house and external sources to find even hidden threats by comparing, say, an unusual server access attempt with a list of suspicious IP addresses from a third-party service.


  1. Analysis of anomalies in user behavior. A company’s worst security nightmare might not come neatly wrapped with a malware label on a blacklist. It might come from a seemingly legitimate user logging in from an unusual place or an unusual time. 

• What to look for: The use of geospatial data and other information, such as a user’s travel plans, to tell an organization whether an assistant vice-president logging in from Guangdong is a hacker or is really Charlie visiting your Chinese distribution partner.


  1. Data lake for log analysis and incident investigation. The explosion in security log data has been a growing headache for years. But with the average organization using scores of security tools and trying to correlate this data with more third-party data, too much potentially useful information about security events grows stale before it can ever be used. 

• What to look for: The use of a data lake to store vast amounts of security log data in its natural formats, which makes it easier to identify and extract the data required to quickly investigate any threat.


  1. Integrated intelligence and investigation of anomalies. With security threats continuously evolving, MSSPs require up-to-date intelligence so they don’t miss vital clues in an investigation. They also need to use that data to prevent users from, for example, accessing a malicious site that uploads malware to their computer. This includes creating and tracking the hashes of malware to more easily find and remove it.

• What to look for: Tightly integrated processes for gathering and analyzing threat intelligence and investigating anomalies.


  1. Leveraging security operations orchestration and automation (SOAR). Today, an average organization might own thousands of sensitive assets, face thousands of security alerts per day and run dozens of security tools. No amount of human effort, even if it were affordable, could keep up with the sheer scale and complexity of this challenge.

• What to look for: Orchestration and automation of security operations.This reduces not only the MSSP’s costs but also the customer’s expenditures. Even more importantly, it ensures that the different parts of the security function (such as intelligence and analysis) work together in defined, consistent ways. Automation, as with orchestration, speeds the all-important time to remediation.


  1. Managed detection and response. A legacy MSSP might expect businesses to investigate and resolve events on their own, assuming the customer had the staff and skills. Today, even if the business could afford the staff, it can’t afford to wait for that staff to work manually toward remediation.

• What to look for: Suggested actions to counter threats, ideally through automated workflows for the customer’s staff to follow. This capability enables customers to not just know about but also fight security threats.


Today’s security landscape is infinitely more complex and fast-evolving than it was just a couple of years ago. Even businesses that have entrusted their security to an MSSP in the past must reevaluate them to ensure they have the up-to-date capabilities required to protect them now and in the future. These nine capabilities will increasingly become tablestakes for ensuring security in the digital age.

Sam Dillingham, Associate Director of Managed Security Services Strategy at Cognizant, contributed to this blog.


Jeffrey Lewis

Jeffrey Lewis

Jeffrey Lewis is Global Head of Portfolio Strategy and Positioning for Cognizant’s Security Practice.  He is a recognized expert in the strategic... Read more