ANS Blog

How to Evaluate a Managed Security Service Provider (MSSP)

Small Business Security

How to Evaluate a Managed Security Service Provider (MSSP)

Hiring a managed security service provider (MSSP) to manage your cybersecurity (sometimes also called Security-as-a-Service or SaaS) is a sound business move for organizations that have: limited IT resources, lack internal security expertise, struggle to hire security talent, or simply need to implement a security program faster than they could in-house. At the same time, the outsourcing of your security is a big move. After all, you're essentially placing your organization’s cybersecurity posture and the protection of your sensitive data in the hands of a third-party provider. Given the implications, it’s a decision that should be based on an in-depth evaluation, and one that should not be made solely on price.

There are several key factors that should be considered when evaluating and hiring a managed security service provider that are critical to making the right choice for your organization. Addressing them can help ensure you’re getting the right services for your needs, and will also set the stage for a long and positive working relationship. To help with the process, there are 10 key things you should be looking for in a managed security service provider as well as some questions you should be asking potential vendor candidates:

1. A managed security service provider should understand how your business operates.

In order to provide the highest level of value, a managed security provider should take the time to understand your business model. Before recommending a solution, they should first ask questions about your business operations, service model, markets served and supplier relationships to make sure they have a clear picture of what you need. Without taking initial steps to collect and analyze this critical information, the solution isn’t a solution—it’s just a sale. A quality provider will spend a reasonable amount of time, up front, with each client—asking questions, uncovering pain points, and digesting the answers provided—prior to submitting a proposal. It’s important to take note of the quantity and quality of the questions they ask, as this usually reflects their level of expertise.

2. A managed security service provider should be focused on only the best interests of you, the client, without conflict.

Your managed security service provider should be flexible and agnostic in their approach to your security needs. Just like the wide variety of cybersecurity technology solutions available on the market today, the field of cybersecurity services is incredibly broad and made up of many disciplines. This includes perimeter defenses, access control, security policy and procedure, training, intrusion detection, and systems integration. Many have expertise in one or two fields; few companies have expertise in all fields. Providers that have a wide breadth of knowledge are valuable in seeing the overall picture and identifying the best practices. Those with depth of knowledge can be better at providing specifications for solutions that will best fit your requirements and compatibility needs.

3. A managed security service provider should be able to offer a wholistic approach to improving your security posture.

You want a managed security service provider (MSSP) that won’t just be looking at your firewall, anti-virus, and patching, but will have a holistic outlook on protection. With that said, you’ll want to ensure that the provider you choose has the understanding and capabilities to ensure your organization is broadly protected. A good provider will be able to help you with:  

  • Advanced Analytics—SIEM and SOC services
  • Technology—firewalls, UTM, wireless, VPN, best practices and patch management
  • Management—policy, risk management, procedure, process, auditing, reporting, training and employee awareness education
  • Adaptability—disaster recovery, business continuity, business resilience and backup
  • Compliance—support and reporting

4. A managed security service provider should have the right expertise.

You want to make sure you’re placing your trust in an organization that deserves it. Having a managed security provider with a highly informed and trained team of managed security experts is always a key issue. A good MSSP will have people who are experts in many areas of digital protection. Technology security threats are constantly evolving; which means a team that does the same is essential. When it comes to dealing with cyber incidents, having access to security professionals with globally recognized certifications, experience in ethical hacking, and forensic investigation bring a great deal of value to the table. If you don’t have this expertise in house, the ability to provide hands-on support, should a security incident occur, is also important. Your Managed Security Services provider should be able to address incidents for you—both remotely and on site if needed.

5. A managed security service provider should have the right operational capabilities, processes and infrastructure to manage your requirements.

Along with having adequate technical staff with the right professional qualifications, an MSSP will have the capacity, processes and infrastructure to effectively manage the ongoing needs of their clients. They will have trained people at every level of the organization to ensure that they are servicing their clients at the highest level of capability. Along with expertise, they should have the capacity/scale of operations to support your organization as it changes and grows. Ask if there’s flexibility both ways if your environment shrinks or grows in size or needs. They should be able to prove financial stability and a solid track record of delivery experience. Don’t hesitate to ask for financial information to safeguard against working with a company that may not be around long. Ask about how long the company’s been in business AND how many years they’ve been delivering the exact service(s) you’ll be using. They should have adequate insurance coverage for the services they’re performing including, but not limited to, professional liability (Errors and Omissions) and their own cyber liability policies. They should be able to review their operating policies and procedures with you. Again, don’t hesitate to ask for, and review them. How organized and documented are their process and procedures? How are their support operations organized? If the answers to these questions aren’t’ clear, their ability to fulfill the services being promised is probably less than reliable. Along these same lines, they should be able to talk to you about their own security measures. This would include things like what their hiring and screening process, their process for securely accessing their client networks, and how they protect sensitive in their own information systems.

6. A managed security provider should explain what you get for your investment.

This may sound like a no-brainer, but it’s a critical question. Remember, your relationship with your MSSP should be a partnership defined by clear boundaries regarding who owns responsibility for what. What services is the provider responsible for delivering, and what are your designated responsibilities as a client? Is there an explanation of key processes including onboarding, incident response, service changes and the communication process in general? What projects and requests are considered outside the scope of your services agreement and how are they handled? Having a written service agreement—that covers these items is the way to ensure you have a clear set of operating parameters. If you have an internal staff or other IT contracts in place already, make sure that the service responsibilities being performed by your MSSP are not being duplicated in some other way.

7. A managed security provider should explain their approach to hardware and software technology.

It’s important to ask about whether a managed security provider has hardware and software technology standards that they strive to adhere to. Employing standardization in certain technologies enables service providers to create efficiencies for clients as well as provide certified staff to ensure expert integration and support. At the same time, if your technology is not standardized, your managed services provider should have some level of adaptability in terms of working within your existing IT environment. Realize that not all of your existing technologies may be supported and upgrades and/or additions to your infrastructure are sometimes necessary to improve your security posture. But the primary reason for a change should be that you are missing an important system you don’t have or, the system you have in place is not doing the job it should be doing. Technology replacements are common within the realm of cybersecurity where the threats are constantly changing and technology is constantly improving. When replacement of technology is necessary, your service provider should be able to explain why a proposed replacement is superior.  If upgrades can’t be purchased within the current budget cycle, your MSSP should prioritize them by their impact on security and provide you with a lifecycle management plan and budget that phases the required upgrades in over a set period of time.

8.  A managed security service provider relationship should be a partnership.

A good MSSP will approach the work as a partnership with your organization. Consequently, they should use language and operate in a way that conveys mutual goals, measurable deliverables, and shared responsibilities. They should add value by taking many complicated and time-consuming security-related responsibilities off your plate—both the heavy lifting and the small stuff. So, it should be clear how they’re going to make your life easier. At the same time, as a decision maker or stakeholder, you should understand that a certain amount of organizational time (either yours or assigned staff) is going to need to be invested in the process for the services and relationship to ultimately succeed. It’s wise to remember that there’s an important rule in hiring a managed security service provider that applies to all outsourcing: you can outsource execution, but you can’t outsource responsibility. The practical consequence of this rule is that you, the client, still ultimately hold responsibility for your organization’s security protection, and should always expect to be involved in it at the right level.

9. A managed security service provider should have a great reputation.

Like most things you purchase that involve a long-term commitment, reputation of the service provider is probably the most important.  References = reputation. In the vetting process, there’s no substitute for talking with existing clients to ensure your vendor has a strong history of delivering on its promises. Ask for references from both long-term and recently deployed clients, who are of the same size, in the same vertical, and with similar challenges to what you currently have. Don’t rely on a letter; make sure you have in-depth conversations with these references. Don’t be afraid to ask a reference whether they’ve ever had an issue or dispute with the provider, and how it ultimately got resolved. Evaluate the answers by the words each reference uses. If someone is willing to serve as a referral and go to bat for this service provider, they should convey strong positive feelings. Do they say they love them? Do they talk about responsiveness and trust? Do you hear things like how they care about service and about their relationship? All of these things are vital components to getting great long-term service.

10  Watch out for low-cost, cookie cutter solution providers.

Once you have a clear picture of what your specific security requirements are, look for a company who is able to tailor their managed solution to your specific needs. Many vendors offer out-of-the-box, cookie-cutter solutions, that are usually inexpensive and almost never provide the right fit. These providers generally offer to monitor security events and use lower-end, semi-skilled labor. They add little to no value to the process besides this simple service; they almost never offer the advanced cyber services or skills you’ll need if you experience an incident. Your specific business needs should always drive what services will be delivered; never the other way around. The round peg, square hole analogy should never apply. So be sure you’re getting the solution that is best for YOUR organization, not theirs.

So, how much will it cost?

Finally, we come to the cost of services. As you can now see, there are many factors that should be considered when choosing a managed security service provider. There are big benefits to using a provider that has the right combination of expertise and resources, but they are usually never the cheapest solution. If you choose one based solely on the cost of the proposal, chances are you won’t get the right level of protection. The relationship can be a double-edged sword. Under good circumstances it will lighten many of the daily pressures related to security management. On the flip side, the wrong provider will make your cybersecurity system an ineffective, and potentially costly, headache.

If you know it’s time for you to improve your cybersecurity defenses, and you’re considering moving to a managed security service provider, contact us for a free, no-obligation security consultation.