Six Critical Questions to Ask Your MSSP

According to a recent CNBC report1, the average cost of a security breach is now over $4 million. As a result, many small and medium-sized businesses are beginning to make substantial investments in cybersecurity. Unfortunately for a large portion of these companies, the enormous costs associated with establishing in-house solutions are simply insurmountable.

First, upon researching various security solutions and finding the availability of trained, certified and experienced cybersecurity professionals to be severely limited, it quickly becomes apparent that standing up an in-house solution will likely cost many hundreds of thousands of dollars.

Additionally, the recurring expenses associated with hiring only one or two skilled cybersecurity analysts to manage an in-house solution could easily reach tens of thousands of dollars each month. For these reasons, many companies ultimately choose to outsource commodity services to a Managed Security Service Provider (MSSP).

Outsourcing has many advantages over in-house solutions:

  • Little or no up-front costs;
  • Greatly reduced recurring expenses;
  • Ability to focus on revenue generating activities;
  • Shared indicators of compromise (IOCs);
  • Access to proven technologies;

When choosing a Managed Security Service Provider (MSSP), it is important to take many factors into consideration. Choosing the wrong provider can be disastrous to your bottom-line.

The following questions will help to demystify managed security services, and provide you with criteria against, which to sort the good from the not-so-good providers in this rapidly expanding market:

1. Does your MSSP specialize in cybersecurity?

Managed security service providers have begun to flood the cybersecurity marketplace. The global managed services market is expected to grow from $8 billion in 2015 to $30 billion by 20202. That’s a whopping 275% increase over just 5 years, and seemingly everyone wants in on it.

Try to narrow your choices to companies who specialize in cybersecurity/information security. Managed Service Providers (MSPs) may be good at providing information operations, but they often do not have a pedigree in cybersecurity. Even if they do, consider that it may not be in their best interest to report their internal security failures to you as a client.

Seek providers who have a proven track record in other areas of cybersecurity, such as Incident/Breach Response, Penetration Testing, Phishing, Social Engineering, and Information Security Risk Assessment. These providers will possess a deep knowledge of the cybersecurity domains, and they already know what sort of threats to look for.

2. Does your MSSP offer custom solutions?

A one-size-fits-most approach may work great for T-shirts and baseball caps, but as cloud services continue to proliferate, and you begin to leverage new and innovative solutions, MSSPs must be able to adjust to a rapidly changing marketplace.

Seek providers who offer a mixture of cloud and on-premise solutions. In addition, ensure that they are able to support your current cloud provider(s). Find out if they will work with you to determine a solution that fits your specific needs.

3. Does your MSSP offer tailored IDS signatures?

Will your MSSP work with you to develop custom intrusion detection/prevention system (IDPS) signatures to protect your critical business systems? Most MSSPs rely on a combination of continuously updated community-developed and subscription-based signatures to drive their detection capabilities.

However, these alone may not be enough. Ensure that your MSSP will work with you to craft custom signatures to ensure your critical applications have the appropriate level of protection. Find out if they offer application testing and/or penetration testing as well. It is often possible to realize significant savings for bundled or related security services. This is especially, true when the application testers have access to telemetry data afforded via network monitoring.

4. What is your MSSP’s commitment to Security/Compliance?

It’s important that your MSSP takes security a seriously as you do. This includes physical security at their own facilities, operational security (are they protecting your information?), access controls, encryption, multifactor authentication, role-based administration, and so on.

Depending on your industry, there may also be compliance standards to which your MSSP should adhere. Does your MSSP submit itself to regulatory auditing by a third party for compliance purposes? Has your MSSP undergone a SOC 2, GLBA, or HIPPA audit? If so, ask them to provide you with proof of certification.

5. Does your MSSP have stringent hiring practices?

Ensure your MSSP is performing background checks on their employees. Your data should be protected from criminals, and it is in your best interest to ensure that your MSSP thinks so too.

Where are your MSSP’s employees located? Does your MSSP outsource their monitoring to agents overseas? There are more than a few MSSPs that outsource staffing to U.S. based staffing companies that act as proxies for analysts in India, Pakistan, or the Philippines. This may not be an issue for you, but it’s a good idea to ensure you are not paying prices commiserate with U.S. based analysts.

6. Does your MSSP keep its employees trained and certified?

An MSSP is only as effective as the analysts scrutinizing the data. It is expected that there will always be new employees who will require training. However, all employees must be adequately and continuously trained to ensure knowledge of current threats and analysis techniques.

Does your MSSP have time and level-based certification requirements for their analysts? Are these certifications associated with the analyst’s tier-based position level? Certification alone is usually not a enough but coupled with training it can provide a good indication of your MSSPs commitment to excellence.



2 ort-managed-security-services-q3-2015

 Disclaimer: This material is intended for informational purposes and should not be relied upon as legal advice.