Selecting a Managed Security Services Provider

September 13, 2022
IT Security, IT Services

Selecting a Managed Security Services Provider

With all the other things IT professionals have going on, choosing a managed security services provider (MSSP) probably doesn’t rank high on the to-do list. Maybe it should.

By contracting for managed IT security services with the right MSSP, your organization gets access to security expertise and resources that it probably doesn’t have ─ and can’t easily or cost-effectively acquire. Companies that specialize in IT security services maintain highly experienced teams of experts. They stay on top of emerging threats and fixes, employ IT security best practices, and invest in leading-edge cyber defense tools and mitigation strategies—the end result: a strengthened security posture.

Working with an MSSP also relieves your IT staff of some of the responsibility of security operations. That frees them up to focus on other tasks and initiatives. With all that IT departments already have going on, anything that frees up time is welcomed.

The challenge is finding the right MSSP. Between building the business case for going with an MSSP, compiling a list of potential candidates and then researching and interviewing them, checking references, dealing with the contracting and onboarding phases, and going through all the other steps required, it can be a time-consuming process.

MSSP Evaluation Criteria

While we can’t eliminate all the steps required in hiring an MSSP, we can provide you with suggestions for assessing your options. The security services offered are critical. Cost is always a consideration. The following are some of the other key things to take into account during the MSSP evaluation process.

• Experience. How long has the organization provided managed security services? Ideally, you want to work with an MSSP that has an extensive track record of success working in the IT security arena. That’s not to say newcomers can’t do the job, but you’ll get greater peace of mind working with an MSSP that can demonstrate both experience and expertise. There’s also a lot to be said about the lessons learned from prior engagements.

Don’t just take the organization’s word for it regarding its experience. Ask the hard questions. Has its’ client experienced any kind of security incidents while using its services? How were the issues handled/resolved? What SLAs are available for the services and what has been the organization’s experience in meeting them? Also, ask for and check references.

• Focus. How do managed security services fit into the organization’s overall company portfolio and strategic focus? Some organizations focus strictly on managed security services. Others include managed security services as part of their overall offerings. While the tendency might be to go with the company that focuses entirely on security, the organizations with a broader range of services ─ such as cloud hosting and network solutions ─ may offer a better fit.

The more holistic-type IT services providers could offer other solutions/services your company could use, in addition to IT security. That helps reduce the number of vendors you have to work with, plus makes it easier for implementing more comprehensive, end-to-end IT solutions. They’re also more likely to have in-house expertise in areas such as compliance, which often go hand-in-hand with IT security needs.

• Compliance. On the subject of compliance, it’s an important consideration ─ particularly if your organization is subject to PCI DSS, GDPR, or HIPAA/HITECH. Look for organizations that undergo regular audits for compliance or certification with various regulatory requirements and industry standards.

You may be able to leverage the compliance or certification of the organization providing managing security services, which lessens your burden. Plus, organizations that are compliant with various regulations and mandates typically have stronger security themselves, as well as expertise they can share with you.

• Service. Security incidents can happen at any time. Is the MSSP available to handle your needs 24/7/365? Are there security experts available around the clock? What is the team’s expertise across the following disciplines: security research, advanced detection methodologies, threat hunting, security analysis, incident response, forensics, security operations, security engineering, data science, and IT operations?

Given the well-publicized shortage of experienced IT security talent, how does the MSSP ensure it will also have the necessary resources to deliver the services ─ and service ─ you expect?

Another good question to ask: does the MSSP provide the support for its services itself or are some of them supported by third parties? If that’s the case, who do you call for support? What’s the responsibility of the MSSP?

• Services. Unfortunately, what you need isn’t always what you get. Does the MSSP take the time to assess your needs and make recommendations for how best to meet them? Does it simply offer off-the-shelf security services (which, depending on your needs, may be sufficient.) Can the services be tailored to your needs, as well as integrated with other services to create a more comprehensive solution or strategy.

What services are available? Are they backed by SLAs? Can these services be combined to provide a more comprehensive security approach, such as a defense-in-depth strategy or zero-trust strategy?

How often does the MSSP introduce new services? What’s on their road map for the coming year?

• Pricing/Cost. Make sure you ask about the MSSP’s pricing model and if there is a potential for additional charges with any of the services. What about discounts? Also, inquire about licensing and maintenance agreements.

Ready to take the next step?

Learn more about the benefits of choosing US Signal as your Managed Security Services Provider. Contact US Signal today!