Here are the questions you should ask yourself before you make such an important decision. Full credit to Carl Keyser of Security7 Networks who kindly gave me permission to use this article.
Question 1: “Why do I need an MSSP in the first place?”
do you need an MSSP? There are three key factors:
• Experience – You need the security expertise an MSSP can provide
• Availability – You need the around-the-clock SecOps availability only an MSSP can provide
• Cost Savings – You need the security cost savings an MSSP can provide If you’re having a difficult time attracting experienced InfoSec professionals, then an MSSP is right for you. If you’re worried about not having a dedicated InfoSec professional available when you need them, then an MSSP is right for you. If you can’t afford a full-time InfoSec professional, but you need someone to do the job, then an MSSP is right for you.
A GOOD Managed Security Services Provider delivers on all three of these things. They can provide your business with the solution set it needs to keep the data safe and sound 24×7 without breaking your budget.
Question 2: “Experience is important. Is the security team at this MSSP experienced enough to meet my needs and how can I tell?”
There is an abundance of anonymous-feeling security-provider websites out there. They seem to be filled with unowned content and staffed by mysterious unnamed individuals. Since you as the buyer have all the power when it comes to making a decision regarding what MSSP you select, it’s easier to make an informed decision if you can identify and research the company you’re considering as a potential partner. Do your research. Check out the MSSP’s “About” and “Team” page. If it helps, check out the company’s LinkedIn page. Those pages/social profiles can sometimes help paint a more complete picture of an organisation. If you’re going to end up working with someone every day, it’s better to know who they are rather than going into an agreement blind and hoping you get an answer(s) you like.
Question 3: “What software/technology do they use? Who are their partners?”
The software an MSSP uses is just as important as the strategies they subscribe to when it comes to their offered services. A good MSSP is always improving, and as a result, they understand the importance of upgrading their toolkit regularly.
We recommend you check out an MSSPs partner page to see what tools they’re currently using. If an MSSP is not comfortable with toeing the line, and they have what looks to be an old or untrustworthy tool kit, they’re probably not the best choice for you or your business.
Question 4: “Does this MSSP pay attention to new threats and developing InfoSec trends?
This question really goes hand in hand with the last question. A good MSSP not only pays attention to developing technology but also pays attention to developing threats in the InfoSec world.
An excellent way to measure this is to look at the MSSP’s blog or social media channels. If their choice in subject matter is current and they’re consistently posting new content, there’s a good chance they’re passionate about what they do and dedicated to keeping their customers safe.
Question 5: “Speaking of keeping their customers safe; what steps does this MSSP take to keep data safe, what’s their security posture like and do they have a strategy?”
In today’s world, the most important asset your company has is its data. It’s only logical that you ask yourself whether or not the MSSP you’re investigating can protect your valuable information.
A GOOD MSSP understands this and offers their clients a complete, far-reaching data security solution that extends from up in the cloud to ground-level end-points like laptops and other mobile devices.
Question 6: “That’s all well and good, but my business is unique. How can they help me directly?”
A GOOD MSSP knows that no two solutions are the same and its representatives will never solicit the same advice twice (outside of some industry best practices). If you decide to contact an MSSP, they should make that very clear to you upfront in the conversation. Why? Every business is different. Yours’s may not have the same security or compliance requirements as the next business an MSSP meets with. A good MSSP tailors a custom solution right for your business and doesn’t make you conform to something like an out of the box solution.
Question 7: “Okay, this MSSP I’m researching is good at self-promotion, but enough about that. What do their customers think about them?”
Ah yes. The One-Million-Dollar question. The best way to gauge an MSSP isn’t always by reading their blog or following them on social media. The absolute best way to gauge an MSSP’s qualifications is by reading their customer review (from either their webpage or on Google).
It’s been said the best form of marketing is word of mouth and that’s true. A good MSSP leverages their customers’ base by getting them to write reviews that accurately depict the way the customer feels about them. Typically, if people love the service provided by someone they do business with they’ll write reviews that can offer up a level of personal insight otherwise unavailable.
Your MSSP should help you stay ahead of cyber-attacks by providing a real-time information security solution. Unlike traditional, reactionary approaches, their intelligent, real-time information security solutions immediately strengthen vulnerable technology and offer multi-layer data protection across your entire IT ecosystem.
Credit: Carl Keyser