How to Select a Managed Security Services Provider for Your Business

By Eric Noonan • January 10, 2018

As an owner of a small or mid-sized business, you have endless options available as you partner with a Managed Security Services Provider (MSSP) to better secure your business. The array of choices, industry jargon, and configurable service options can leave you wondering if you left something on the table that you will later regret. Without a team of security experts to vet vendor service offerings, the selection process is even more daunting.

How can you simplify the process and ensure that you are getting everything you need to be secure and compliant?

Maximize Your Chance of Success When Selecting an MSSP

  1. Document your requirements
    • Increase your likelihood of getting what you need by taking the time to compile this list. It will make you a smarter buyer and tremendously help you find the right resource for your needs.
    • Note that this doesn’t have to be a detailed spreadsheet of operational capabilities and Service Level Agreements (SLAs). You may opt to start with compliance issues as most businesses have specific regulatory requirements that they must satisfy including DFARS NIST 800-171, Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and many others.
    • Ask potential MSSP vendors how they can help your business to measure, satisfy, or simplify compliance with any of the above compliance requirements. MSSPs should possess in-depth knowledge of the requirements, use cases from existing customers, and references.
  2. Be ready to answer questions
    • Have a technical person and someone who understands your business available to answer questions around current security tools in place including how they are used, which users need what level of access, and existing business processes. A good MSSP will want to understand your business both in terms of your existing on-premise and cloud-based infrastructure and your actual business.
    • Trust your instincts and steer clear of sales pitches that focus on technology rather than your business requirements. Know that MSSPs who don’t ask the right questions and who push technology won’t be good long-term partners. There isn’t a tool on the planet that can make you secure. Ideally, your conversations will be with the MSSP operational staff rather than salespeople as operational folks will have the experience that can be applied to your business requirements.
  3. Make sure your MSSP enables security and compliance
    • Remember that operational security enables compliance. Drive your MSSP to explain how their proposed solution to your requirements can make your business both secure and compliant. Chances are you don’t have the time or resources to manage compliance as a separate activity from securing the company. Whatever you contract for should enable both operational security and compliance and the alignment between the two should be documented.
      • Example: If an MSSP is offering a Security Incident Event Management (SIEM) and log management capability, there should be a documented alignment of the capability delivered and your specific compliance requirements. You intuitively understand why you need a firewall and anti-virus protection, but make the MSSP demonstrate how that operational need maps to your compliance requirements to become a force multiplier.
    • Keep in mind that other examples of operational technologies that your MSSP should easily be able to map to your compliance requirements include:
      • Asset Discovery and Inventory
      • Vulnerability Assessment
      • Intrusion Detection
      • Behavioral Monitoring
      • SIEM and Log Management
  4. Vet your MSSP to ensure service delivery
    • Spend time examining your MSSP to be sure that you are they are going to deliver on the “service” part of being an MSSP. SLAs should be a part of your contract but there is an undocumented level of service that you should be getting from your MSSP that can’t be captured in an SLA.
    • Consider these things:
      • Are you comfortable with their technical expertise?
      • When you call, do you know if you’ll get a knowledgeable expert who goes the extra mile to solve your problems or a tier-one analyst who just opens a ticket?
      • When compliance questions relating to a business issue arise, will you find your MSSP to be a partner working with you to solve to problems?
      • Does the MSSP have clear value-added services that go beyond “management dashboards” that only demonstrate tools are being deployed?
    • Narrow your selection to responsive, service-oriented vendors during your procurement process. Many customers has been sold MSSP “services” that do little more than collect logs and monitor.
  5. Be diligent in checking references
    • Ask for references and take the time to call these contacts. Inquire about the reference’s experience during onboarding and delivery of services months after the sale was made. Is the MSSP still engaged and delivering value or do they only surface at contract renewal time?
    • See if your chosen MSSP has delivered any remediation or implementation projects as they are indicators of hands-on experience that will benefit your business. Ideally, references will be in the same business or industry as yours, but if everything else checks out this isn’t a necessity.

Partnering with an MSSP is a great way to secure your business infrastructure. To find out how quickly CyberSheath can enable 24/7 operational security and compliance reporting for your business, contact us at sales@cybersheath.com.

 

Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Trace Security