NEW TECH: Critical Start delivers MSSP network protections with ‘radical transparency’

By Byron V. Acohido

It was in 2012 that CRITICALSTART burst onto the Managed Security Service Provider (MSSP) scene with bold intentions.

Related: How SMBs can leverage threat intelligence.

The Plano, TX-based company sought to elevate the “MSSP” space high above the accepted standard at the time. It set out to do this by delivering security services based on Zero-Trust and that also provided radical transparency to its customers.

CRITICALSTART has since grown to 105 employees, serving hundreds of customers. In 2018, revenues generated by its core Managed Detection and Response (MDR) service grew 300 percent as compared to 2017.

What struck me most as I prepared to meet up with Jordan Mauriello, CRITICALSTART’s VP of Managed Services, was how the company has been able to stick to its guns providing Zero-Trust and “radical transparency” to its customers.

No one in the cybersecurity community would dispute the fact that widely sharing intel detailing what the bad guys are doing, as well as measures that prove effective in deterring them, should be standard practice – for the greater good.

However, in reality, competitive instincts still get in the way all too often. It was with this in mind that I met with Mauriello at RSA 2019, and he walked me through the path CRITICALSTART has successfully navigated. For a full drill down, give a listen to the accompanying podcast. Here are key takeaways:

Foundation of trust

Radical transparency isn’t a new thing, but we are seeing it more in security, as well as an increase in the need for Zero-Trust model. Mauriello observed that companies shopping for contracted security services are open to taking a trust-but-verify approach, and are looking for service providers to build that trust foundation by operating out in the open.


“One of the chief complaints we heard was that they didn’t have transparency with their service provider,” said Jordan Mauriello. “There has to be a concept beyond just giving them visibility, beyond just giving them metrics and numbers, but something a little more radical.”

It’s what customers want. Traditionally, service providers run platforms in silos – one platform for their analysts, one platform for ticketing and management, one platform for communicating with the customer. If and when a customer wants to see what really happened in their system, there’s no easy way to do that.

Radical transparency gives the customer a clear vision of what the MSSP is doing on their behalf, and thus empowers the customer to be able to hold the service provider accountable. “Shouldn’t they be able to hold us accountable for what they’re paying us?” Mauriello wondered.

Getting radical

The key word here is radical. Being transparent is one thing, but radical transparency opens up a vision in a more thorough way than ever before. It’s, well, a radical shift. In terms of the service provider-customer relationship, it means removing the idea of a multi-tiered platform of systems that are separated from the customer.

Think of it as a parent and child relationship, Mauriello said, where the parent has access to check in on their child’s activities. The organization (parent) can see what the service provider (child) is doing on their behalf.

“They can go in and look at actual work our analysts did for them in the same platform we do it in because it’s the same platform they use,” he added. “If they have child companies – and we do have customers that are parent organizations with child companies – they can go look at the work that’s happening there.”

How Zero-Trust works

Zero-Trust depends on that concept of trust-but-verify. Traditionally, service providers collect a lot of data for an enterprise, brought in from one place, generally a SIEM or some other log management tool. When digging into that data, the rule is to find the bad matches. To do that, you have to assume that everything is good until it’s bad, innocent until proven guilty.

“A Zero-Trust engine is the exact opposite,” said Mauriello. “We’re going to collect all the same events but we’re going to assume every single one of them is bad until we can prove it good.”

With the combination of Zero-Trust and radical transparency, you are verifying the good and you’ve opened up your playbook for your customers to read. That’s a good thing. Customers shouldn’t assume they have to automatically trust what their service provider is doing; they should have the opportunity to verify it, too. Talk more soon.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(Last Watchdog’s Sue Poremba contributing.)



Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone