Build a Cybersecurity Services Offering

Level up your approach to offering security-as-a-service

Analyst Perspective

Cybersecurity defense is an ongoing continuous improvement process.

As providers we must stop selling “solutions” and instead offer “services”. As consultants we must engage on strategy, risk, and compliance.

Over the last decade the Managed IT Services industry has done a fantastic job at productizing IT services. They can aggregate a suite of common technology solutions from multiple distributors into a complete “tech stack” and resale it’s ongoing operation and management for combined cost-per-user.

But I see many challenges with taking this same model and shifting it squarely into the cybersecurity space. For one, there may be gaps in the service offering. Perhaps the solution bundles end-user device protection with managed firewall, email protection and backup, and security awareness training. On paper it seemed complete, and added up to a per-user price that was digestible. But perhaps it failed to include a solution for better password management, or privileged access management. Gaps in the offering mean gaps in cybersecurity defense; how does a provider know where to stop stacking on solutions?

Our approach to ensuring a complete cybersecurity offering is to clarify two items: what role you play, and what that role does against a well-known control framework. Whether you’re looking to offer Virtual CISO, or MSSP, or something of your own design – deriving what you deliver based on who you are and what controls you’re working with – your offering will be tightly scoped, scalable, and much easier to explain to your prospects.

Fred Chagnon
Principal Research Director
Consulting & Technology Service Provider Industry
Info-Tech Research Group

Executive Summary

Cybersecurity enhancements are an objective for most small businesses

Companies are accepting that cybersecurity is a business imperative – not an insurance policy.

Companies realize the need to enhance cyber security and focus on regulation compliance.

• 52% of small businesses are looking to enhance cybersecurity protections.
• 21% feel they also need to focus on security & privacy regulation compliance (ConnectWise).

IT Service Providers will fill the skill gap by increasing focus on managed cybersecurity services.

• The number of IT service providers offering cybersecurity services is expected to increase by 70 – 80% in the next three years.
• Partnerships with security operation centers (SOCs) are also expected to grow by 70-80% in the same amount (ConnectWise).

IT Consulting Practices will be sought out for specific cybersecurity engagements.

• The cybersecurity consulting market is growing at a CAGR of 8.4% year over year (Douglas Insights).
• Strategic planning, vulnerability testing, risk assessment, and audit preparation and remediation remain the most commonly sought after consulting engagements.

Many organizations who make use of MSPs think “security” is all-inclusive

In truth, traditional MSPs typically cover a fraction of cybersecurity controls.

Network & Infrastructure Security (inner ring)

• Traditional MSPs typically cover network and infrastructure security. They encompass the protection of systems and networks. This includes such perimeter security as firewalls, access management, password management, DNS protection, network traffic encryption, etc.

Cybersecurity (middle ring)

• MSPs typically cover cybersecurity. They encompass the protection of business assets from digital threats, and assist with privacy and regulation compliance. This domain covers security policies and procedures,

Information Security (outer ring)

• The enterprise is responsible for information security. Everyone must protect non-digital information, including hardcopy data, and the distribution of information through non-digital means.

Info-Tech Insight

Separating network security controls from cybersecurity controls is a challenging thought exercise even for experts in the field, so don’t expect your customers to know the difference. Be clear on what you cover.

Cybersecurity protection shouldn’t be bundled the same as managed IT services

Taking a technology-first approach to offering cybersecurity services is flawed.

Info-Tech Insight

The standard approach that MSPs have used for packaging technology does not work for cybersecurity because completeness of the offering is of paramount importance. Therefore, a control framework is critical to ensure that the offering is complete.

Info-Tech’s Methodology for designing a cybersecurity service offering

Insight summary

Overarching insight

Security services are journeys, not simply solutions for resale. Don’t try to sell a turn-key solution that activates “protection” upon purchase. Rather, approach security services offered as a partnership. It is, after all, a continuous journey of improvement and course correction that evolves in accordance with the changing cyberthreat landscape and your customer’s shifting business proprieties.

Phase 1 insight

Know your role. A Virtual CISO cannot govern an unmanaged process, just as an MSSP cannot enforce a policy which hasn’t been written. Between customers, providers, and any other third parties, it is critical to know who is playing what role in the information and cybersecurity protection spectrum.

Phase 2 insight

Change the conversation from cost to risk. The question is not whether the customer can afford protection. Rather, it’s how much risk can they afford to withstand. Create service tiers aligned to these levels of risk rather than tiers aligned to affordability.

Phase 3 insight

Deliver your services the same way every time. Customers are like snowflakes; each one is unique. Your service offering will address this uniqueness within its interactions and deliverables, but the delivery of those interactions and deliverables must remain consistent across your customer base.

Info-Tech offers various levels of support to best suit your needs

Diagnostics and consistent frameworks are used throughout all four options.

Phase 1

Determine Your Role

Service scope is a major driver to your cybersecurity offering

Your delivery must be well-defined and strike the right balance to meet your clients’ needs.

Imbalance has financial and reputational implications: Too much security and you are losing profit margins; too little and you are leaving holes in your defense and struggling to articulate value.

Understand client needs to avoid gaps. When service design starts from a list of capabilities you could offer or technology tools to bundle in a package, what results is a service offering with gaps.

Set the scope of your service offering up front. Understand the role you play, and how it relates to other functional areas.

Clearly define accountabilities and deliverables. When it’s not clear specifically what function you serve, you risk getting pulled in unexpected directions based on individual customer needs.

Scoping starts with knowing the role you’re filling

Information security roles exist across three broad domains.

A hybrid approach to outsourcing information security is very common

No matter the model, the customer maintains full accountability!

“The workforce of the future needs to be agile and adaptable, enabled by strong partnerships with third-party providers of managed security services. I believe these hybrid models really are the security workforce of the future.” -- Senior Manager, Cybersecurity at EY

Info-Tech Insight

Completeness is key! Knowing the role your service offering fills is important to define the scope of your engagement. However, it’s equally important to know how the other roles are being covered, between your organization, the customer, and any other third-party. The success of your engagement depends on this.

Strategy, Governance, Risk & Compliance

The Information Security Leaders, Advisors, Policy Makers, and Agents of Change.

Risk Assessment: Regularly assessing, quantifying, communicating risk to business leaders.

Program Management: Strategy planning, communicating, and overseeing the execution of the information security program.

Policy and Procedure Definition: Establishing and socializing best practice policies and procedures and associated organizational posture and culture.

Compliance Management: Establishing the organizational requirements for compliance with privacy and other industry-specific information security regulations (e.g. HIPAA, FedRAMP), and with the requirements of other governing bodies.

Competency Check: This role aligns to the competencies covered in the following certifications:

• Certified Information Systems Security Professional (CISSP) - ISC²
• Certified Information Security Manager (CISM) – ISACA
• Certified Chief Information Security Officer (CCISO) – EC Council
• GIAC Strategic Planning, Policy, and Leadership (GSTRT)- GIAC

Engineering, Management & Operations

The Information Security Technical Experts and Policy Enforcers.

Technology Management: Acquiring, installing, configuring and operating protective technology solutions.

Policy Enforcement: Enforcing the policies established by leadership and providing corrective guidance where needed.

Risk and Non-Compliance Communication: Communicating identified risks and non-compliance to information security leaders.

Incident Detection and Threat Hunting: Monitoring for and alerting on suspicious behavior, anomalies, and other potential incidents.

Competency Check: This role aligns to the competencies covered in the following certifications:

• Certified Information Systems Security Professional (CISSP) - ISC²
• Certified Information Security Manager (CISM) – ISACA
• GIAC Security Leadership (GSLC) – GIAC
• Security+ - CompTIA

Incident Detection Response & Recovery

The Information Security Response, Recovery and Remediation Team.

Incident Response: Responding to and investigating alerts of suspicious activity.

Root Cause Analysis: Performing root cause analysis on security incidents and liaising with information security management as part of a continuous improvement plan.

Remediation and Recovery: Remediating upon detection of malware, presence of unauthorized access, or other cyber-related damage.

Competency Check: This role aligns to the competencies covered in the following certifications:

• CREST Certified Incident Manager (CCIM) - CREST
• GIAC Certified Incident Response Handler (GCIH)- GIAC
• GIAC Security Operations Manager (GSOM) – GIAC
• “Disaster Recovery Certification”

Hybrid can be done in many ways

What matters is that all functions are always being performed by either the customer or the provider.

Scenario 1: Customer staffs a full-time CISO which establishes policy and posture, and partners with an MSSP/MDR service for operations.

Scenario 2: Customer’s internal security team takes control of day-to-day operations. CIO employs the use of a vCISO for advice and expertise, as well as a managed SOC/MDR to alleviate internal SecOps.

Scenario 3: Fully outsourced, either to a single full-service partner, or to multiple. Customer retains accountability of cybersecurity protection.

“You can’t govern what doesn’t exist. It’s all well and good to assess and document a company’s security stance, but if there are no means to implement and manage, and monitor security controls on an ongoing basis, then you will have no chance of long-term success.”

- Anonymous Fractional CISO

‘Red Team’ Exercises

A service offering that provides ethical hacking techniques as part of an overall improvement program.

Penetration testing, or ethical hacking, are other terms for Red Team exercises.

Red Team exercises are designed to reveal vulnerabilities in a company’s security defense by actively detecting and exploiting weaknesses in security processes.

Organizations often seek external partners to act as the Red Team, while maintaining their own internal security operation’s department on defense as the Blue Team.

When purchased as a service offering, Red Team exercises should provide, as an output:

• A heat map of the organization’s detection and protection maturity, mapped to tactics, techniques, and procedures.
• An analysis of the effectiveness of existing cybersecurity countermeasures.
• Gaps in the organization’s defense Metrics on mean time to detection (MTTD) and mean time to remediation (MTTR).

Cost of unplanned downtime

The average cost of a data breach in 2020 in the United States was $3.86 million.

The average time to detect a breach was 207 days. (IBM Security)

Info-Tech Insight

You can’t play both sides. Either offer the Red Team exercises as a paid engagement to non-retained customers, or have your Managed Security Services put to the test as the Blue Team by encouraging your retained customers to independently seek Red Team-like services.

1 Determine the role(s) for each service you will offer

1-3 hours

1. Determine the vision for your cybersecurity offerings. Ask the service design team the following questions:

a)	Do we see ourselves offering the Strategy, Governance, and Compliance functions (i.e. virtual CISO) as a service to our customers?
b)	Do we see ourselves offering the Engineering, Management, and Operations functions (i.e. MSSP) as a service to our customers?
c)	Do we see ourselves offering Incident Detection, Response, and Recovery (i.e. Managed SOC / MDR / XDR) as a service to our customers?

2. Table any cybersecurity or related services offered today and categorize them. Which function are they drawing from today? Is there a mix?
3. Use the Control Map tab of the Security Service Design Workbook as a guide to see how each function is aligned to each control.

Download the Cybersecurity Service Design Workbook

Phase 2

Scope Your Activities

Info-Tech Insight

Change the conversation from cost to risk. The question is not whether the customer can afford protection. Rather, it’s how much risk they can afford to withstand. Create service tiers aligned to these levels of risk rather than tiers aligned to affordability.

An offering not built from the customer’s perspective will contain critical gaps in delivery

Gaps in a cybersecurity service offering increase the customer’s exposure.

Provider-centric approaches...

Stick to what the provider can do and sell today. Itemizes the activities based on provider’s internal capability or line card of products that are desirable for the provider to resell.

Priced in accordance with effort and complexity. Establishes a range of offerings using a tiered pricing structure in accordance with their effort and complexity for the provider to deliver.

Results:

Customer-centric approaches...

Backed by a well-known control framework. Activities are backed by the controls well-known cybersecurity framework (e.g. CISv8, NIST, etc.).

Priced in accordance the customer’s risk, and the value in mitigating it. Establishes a range of offerings using a tiered pricing structure in accordance with their effort and complexity to deliver.

Results:

Align the activities you will perform to the role you intend to cover

Use the Control Map in the Service Design Workbook to align the activities to the role.

Don’t let your customers shop for protection

Tiers based on COST.

Change the conversation from cost to risk

Tiers based on customer risk profile.

Use the CIS Controls v8 IGs to tier your offering

The Center for Internet Security’s framework has sorted their controls into service tiers.

The CIS Controls v8 Framework consists of 18 control categories, totaling 153 safeguards within them.

Implementation Groups (IGs) effectively sort the safeguards into categories of increasing risk profile.

These Implementation Groups can be adapted to service tiers in your offering. This provides the following advantages:

• Meet your customers where they are. Every customer presents a different risk profile. Just as some customers require much more protection than they would willingly choose off a menu, others will never require maximum security.
• Build your service offering brick by brick. Start with the basic 56 safeguards and deliver them well before taking on customers that need more. Grow with your customers, and you’ll avoid overselling and under-delivering (the stakes are too high in cybersecurity).

Implementation Group 1 (IG1)

Basic Cyber Hygiene.

Target customer of an IG1 is described by the CIS as

“Typically, small to medium-sized with limited IT and cybersecurity expertise to dedicate toward protecting IT assets and personnel. A common concern of these enterprises is to keep the business operational, as they have a limited tolerance for downtime.”

Data security of an IG1 is described by the CIS as:

“low and principally surrounds employee and financial information. Safeguards selected for IG1 should be implementable with limited cybersecurity expertise and aimed to thwart general, non-targeted attacks. These Safeguards will also typically be designed to work in conjunction with small or home office commercial off-the-shelf (COTS) hardware and software.”

Examples: Most small/medium businesses with little to not technology staff. Small-business retail, non-profit boards, and other SMBs with low-risk data and availability concerns.

Source: Center for Internet Security

Implementation Group 2 (IG2)

Moderate Cyber Controls.

Target customer of an IG2 is described by the CIS as

“…(employer of) individuals who are responsible for managing and protecting IT infrastructure. These enterprises typically support multiple departments with differing risk profiles based on job function and mission.”

The CIS says of the Compliance requirements of an IG2:

“…small enterprise units [within the organization] may have regulatory compliance burdens”

Of the data sensitivity of an IG2, the CIS says:

“…often store and process sensitive client or enterprise information and can withstand short interruptions of service. A major concern is loss of public confidence if a breach occurs.”

Examples: Schools, government-adjacent organizations, and other SMBs who operate in regulated fields (health care or government), or smaller enterprises with some IT staff and moderate concerns about public exposure.

Source: Center for Internet Security

Implementation Group 3 (IG3)

Maximum Security Control Implementation

Regarding target customers of an IG3, the CIS says:

“…commonly employs security experts that specialize in the different facets of cybersecurity (e.g., risk management, penetration testing, application security).”

The CIS says, regarding compliance requirements of an IG3:

“…assets and data contain sensitive information or functions that are subject to regulatory and compliance oversight.”

CIS further describes an IG3 target’s risk profile:

“…must address availability of services and the confidentiality and integrity of sensitive data. Successful attacks can cause significant harm to the public welfare.”

Examples: Health-care, small government, large retail organizations with sensitive / private data and/or concerns about public exposure

Source: Center for Internet Security

Implementation Group Summary

Info-Tech Insight

Crawl, walk, run. Use service tiers as a means of developing your own internal capability. Providers new to offering cybersecurity services may only wish to target customers who fit the least risky tier, and develop their capability before seeking out riskier clientele.

2 Determine the list of activities performed within the engagement

1-3 hours

1. Use the Control Map tab in the workbook and go through each safeguard item one by one.

a)	Given the role we want to play, are we prepared to perform the task required for each role, to meet that safeguard?
b)	Fill out columns C through I in the Service Definition Worksheet. In particular, record any outstanding actions that prevent the organization from delivering that service today (e.g., staff training, access to proper tools, etc.).

Download the Cybersecurity Service Design Workbook

Info-Tech Insight

Deliver your services the same way every time. Customers are like snowflakes; your service offering will address their uniqueness within its interactions and deliverables, but the delivery of those interactions and deliverables must remain consistent across your customer base.

Standardized activities deliver a consistent experience over many clients

Build a service capacity model using the activities in the engagement

Use the ‘frequency’ and ‘duration’ fields to determine a rough order of magnitude on the per-customer time investment.

• Any activity performed within the engagement can either be described as ‘repeatable’ or ‘one-time’. Repeatable activities occur on a cadence.
• Duration is a measure, either in hours or days, of the total work effort required to perform the activity.

Red Flags: When either of these values is ‘On Demand’ or ‘Varies’, you’re giving up control of the delivery of the service. This is necessary in many cases, but should be evaluated and done intentionally. Consider breaking these activities out as separate modules, available for a set fee.

When evaluated and documented correctly, the combination of frequency and duration values should total the amount of work effort for each client consuming the service.

Make note of the state of your deliverables

Green

Deliverable exists in a format that the entire delivery team can access and make use of consistently. No further action required.

Yellow

Deliverable may closely resemble the vision or requires validation before being fully adopted as standard. Evaluate and modify until satisfied.

Red

Deliverable does not exist.

Create and refine until satisfied.

3 Standardize the activities in each tier

1-3 hours

1. Using the concept of Implementation Groups, discuss whether tiers of service are appropriate for your offering, aligning to the IGs presented in the framework.
2. Use column J to denote the appropriate service tier for each activity.
3. For each activity, discuss as a team the four (4) elements of the Standardized Approach:

Download the Cybersecurity Service Design Workbook