Share and earn Cybytes
Facebook Twitter LinkedIn Email

More often than not these days, MSSP service offerings typically do not include risk reporting to their clients. The ones that do typically are more mature, have been in the space longer, and think with more of a long-term mindset.

Of course, many Managed Security Service Providers (MSSPs) primarily deal with SMB-style customers who want to offload a variety of security responsibilities so that they do not need to worry about them. These duties are principally technical in nature, while risk reporting is more of a non-technical, executive function—something that IT security analysts wouldn’t necessarily want or need, and that they would use completely differently than an executive would.

Read the On-Page Guide: Cyber Security Translation Guide for MSSPs

This all means that MSSPs have a golden opportunity to differentiate themselves from their competitors by offering risk reporting services. If you are considering adding risk reporting to your offerings or have just now been struck by the idea, here’s what you need to know.

What Is Risk Reporting as a Service?

Simply put, risk reporting as a service (RRaaS) is a way to help non-technical users—those not involved in the day-to-day work of risk calculation—to understand what risks they face and how it affects their business objectives.

Risk is a tricky term to define because it means different things to different people. When speaking with a CFO, for example, the term “managing risk” means something very different than when speaking with an Information Security analyst.

The most important thing when it comes to risk reporting is providing a simple, consistent, and common language that non-technical audiences can understand. When an MSSP and a customer come together to sign a statement of work, risk reporting needs to be clearly defined. What does the customer want and need to receive from the MSSP? Is it consolidating the output from dozens of different security products into a single monthly report, or perhaps automating the time-intensive process of collecting data and forming action items?

Before ink is put to paper, however, both parties need to have a conversation about the ambiguities of risk and how each of them understands the business’ status quo and desired outcome. In this respect, the “reporting” aspect of risk reporting is much less important than the “risk” part. The crucial questions for your customers in this regard boil down to: What do you want out of this engagement? What would be most helpful for you?

Then structure your reporting to help foster that goal.

The Value of RRaaS

Most companies have never generated a risk tolerance profile for themselves—and if they have, chances are it is outdated. Whether they have hired new employees, changed their business model, or updated their product set, something has almost certainly changed since they created one or the last time they revisited it.

Ideally, a risk tolerance profile should be revisited at least annually. MSSPs can expand their service offerings to include risk reporting services by helping their customers build such a profile or walking them through the steps of doing so. Once the profile has been finalized, it should help customers understand what level of risk they are and are not comfortable with. In turn, these realizations should have an impact on the budget of the security operations team.

Risk reporting also means having a core set of metrics that are tracked consistently over time. Later on down the line, your customers should be able to examine these same metrics and understand the progress that they have made since then.

Having a standard, comprehensible set of metrics is essential to the process of risk reporting. It is very difficult for a non-technical audience to understand the risk to their business objectives when couched in technical terminology.

Those with a technical background can mention the number of advanced persistent threats, vulnerabilities, or firewall hits in the past month—but what exactly does this mean to a nontechnical audience? On the other hand, if you can say that you have seen a certain number of new and repeated threats, then the message is much clearer.

Of course, risk reporting will take a somewhat different form depending on who the customer is. MSSPs that work for large conglomerates can often take a more technical approach to their risk reporting than those working for SMBs because there is usually a higher level of expertise or maturity present within a larger organization.

However, in either case, the implications are clear: you need to demonstrate value by adjusting your risk reporting to a level that your customers are comfortable with or could learn from.

How Can You Differentiate Yourself with RRaaS?

Risk reporting services are a tremendous chance for MSSPs to cross-sell and upsell the additional services that they offer. The initial risk reports can make note of issues and needs that are addressed by the MSSP’s other solutions. Over time, new customers who may have just wanted to create a risk tolerance profile at the start gradually become more involved and invested in additional MSSP service offerings.Even though it is incredibly valuable and a major pain point for many organizations, risk reporting services are not generally something that MSSPs choose to offer or highlight. Yet based on customers’ feedback, the opportunity is clearly there.

MSSPs may not have the team, the time, or the expertise to build an RRaaS solution from scratch. The good news, though, is that there is a platform that can provide that for you. GreySpark ingests log data from other products already deployed within the network. Instead of generating alerts after each noteworthy event like a SIEM, GreySpark uses a common information model to analyzes long-term trends according to six key metrics that are nontechnical in nature even though the underlying data is extremely technical. The result is a single, automated, nontechnical risk report the whole team can understand. Perhaps the biggest benefit of all is the time left over to do the same with other customers.

Final Thoughts

Risk Reporting as a Service is a great way for MSSPs to differentiate themselves from competitors and increase the value they deliver to their clients.

Sure, IT environments are more complex and have more granularity today than ever before. You have no choice but to start from an immense amount of data, hewing and compressing it into a few key metrics. But real value comes when you’re providing something to your customers that’s difficult to do and not available everywhere. That’s how you earn your keep as an MSSP and how you’re able to influence your customers’ priorities as an organization.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About FourV Systems
FourV is dedicating to improving the operational performance of IT security programs by empowering leadership to make decisions instead of spending time analyzing data.
Promoted Content
Cyber Security Translation Guide for CISOs
Communicating the Benefits of an IT Security Investment Can Be a Challenge As a chief information security officer (CISO), you know how important it is to invest in the appropriate IT infrastructure in order to keep your business and its assets safe. The difficulty, however, is often communicating the urgency and importance of those investments in a way that resonates with other stakeholders in your organization. This free on-page guide will teach you how to best position your messaging when speaking to non technical leadership.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?