More companies than ever are hiring managed security service providers (MSSP) to manage some or all their security needs. MSSPs are especially helpful for companies with limited IT resources and expertise. But when entrusting a third party with your company’s most sensitive information you want to make sure you’ve chosen the right collaborator. Here is a guide to which factors to look for and which questions to ask when sourcing your MSSP.
Be Prepared: Know What You’re Looking For
The first thing to do is make sure you’re prepared: don’t leave any gaps in your IT security. An MSSP’s functions include managing intrusion detection systems and firewalls, organizing patches and upgrades and responding to emergencies. Many will offer regular audits and special products for their client’s use.
A security audit, risk assessment, or cyber security/resilience review will help you proactively track results: if an MSSP can’t provide you with a basic audit for cheap or free they’re not worth your time. You’ll have to codify your requirements, such as whether you need off-hour or full-time monitoring, comprehensive or only advanced skills that your team doesn’t have. This will determine whether you go for a lower or higher-end MSSP, i.e. semi-skilled or high skilled monitoring.
Secondly: make sure they understand your business model: if they can’t address your needs now they won’t be able to deal with future problems. Understand the MSSP market, the level of service you require and the service/s you’re asking about. A requirements document or statement of work can help clarify the details. Always make sure to read the contract of the agreement in full!
Establishing Their Reputation
Once you know what you want you’ll have to ensure that they’re offering it and that they are legitimate. Membership of professional security organizations such as ISSA and ISACA and attendance of major cyber security conferences are good indicators of their size, respectability and existing networks with others in the industry. Look for credentials such as Premium (or Gold) Partner, Partner of The Year etc. Find out how long they’ve been operating for, and any hiccups in their track record. Are they scrupulous about complying with federal regulations? A top cybersecurity firm will have a well-designed website: period. Finally, ask colleagues in your industry about who they use and why.
Check out the online biographies of the professionals who lead the MSSP’s team. Do they have the relevant technical or business credentials, and have they had success with previous companies? You’ll also want to know how they quality security candidates, how many they’re recruiting for, to see if they’re well-staffed. They should be prepared with a good answer.
What They’re Offering
You’ll want to understand which specific services they’re offering. If they specialize in one area they should excel in it, if they’re generalists they should be large and have a diverse workforce. Make sure you understand the details of their pricing: what is everything costing and how contingent is the contract? Review their insurance coverage policies. Do they outsource some of their tasks, if so how reliable are their third parties?
How They Work With You
Do they provide you with monthly analytics? If not, how can you review their performance? What data will you have access to as their client? You’ll want to know that they’re going to work well with your staff, that your staff has the technical understanding to work with them and that you have an incident response plan they’ll adhere to.
What You’re Responsible For
Whether you’re using an existing internal IT team in collaboration with an MSSP or entrusting almost all your security to them, you’re still responsible for some things. Make sure to regularly update software and browsers, use strong passwords, and consider hiding your network and/or use multi-factor authentication technology. Employee Codes of Conduct and training to make sure your staff are responsible web citizens – especially on social media – are a must-have.
Make sure the MSSP model is scalable for when your business evolves or changes. Your agreement should also be flexible enough to let you make new adjustments as your business and financial situation changes. Make sure your MSSP has no conflict with current or future clients and can work well with them, as well as with any of your outsourcing partners that may become involved. If you become dissatisfied with your service, will they change it? If better technology comes out, will they get it? What’s their roadmap for product development?
Now that you know what you’re looking for, how to vet and what to organize, the only thing to do is prepare your list of questions. Good luck!
Zohar Pinhasi, CEO, and Founder of MonsterCloud, is a leader in opening the cloud computing market to small- and medium-sized businesses. Zohar has 20+ years of experience with sophisticated technology systems.A leader in the fast-moving technology industry trend of cloud services, Zohar has spent the past 12 years evangelizing for small- and medium-sized businesses to shift to the cloud. A calculated risk-taker with deep tech industry knowledge, he continues to champion cloud services to his enterprise and consumer customers. The foundations of Zohar’s knowledge were established during a long training in an elite military technological unit. Zohar is also the founder of GOLBNET, a telecom company. Zohar’s motto: A dream is a seed. Vision plants it. Imagination nurtures growth. Opportunities create blooms.
Thoughts become things! (Donna McGoff)