Cybersecurity

9 Best Practices for Selecting a Managed Security Services Provider (MSSP)

An MSSP can shore up your cybersecurity and remove burdens from your internal IT team. But to achieve these results, you must find the right partner. Here are nine things you need to know before you choose an MSSP.

Cybercrimes continue to rise.

In fact, 70 percent of organizations said that their endpoint security risks have increased significantly over the past twelve months. Meanwhile, 54 percent of companies have experienced one or more successful attacks that compromised their data and/or IT infrastructure.

However, many CIOs lack the resources to effectively ward off cyber threats.

According to research from Enterprise Strategy Group (ESG), 51 percent of organizations faced a cybersecurity skills shortage in 2018. This represents a steady increase from the 23 percent of organizations that couldn’t fill these roles in 2014. Unfortunately, the skills gap is getting worse with time.

Even if you find cybersecurity experts, there’s no guarantee that they will stick around. The ESG research revealed that 49 percent of cybersecurity professionals receive job solicitations at least once per week. This news is great for people who want a career in cybersecurity but it’s a problem for CIOs that need to retain skilled professionals at a reasonable salary.

Without the proper resources, CIOs have no choice but to increase their IT team’s workload. The ESG research confirmed that the cybersecurity skills shortage is placing a heavy burden on internal teams. They spend so much time putting out fires that they have little time for planning and strategy.

Why Partner With a Managed Security Services Provider?

Many CIOs are turning to managed security service providers (MSSPs) to overcome their internal skills gap. Working with an MSSP allows you to boost your security without increasing the burden on your in-house team. With the right partner, you can achieve fast results while you free your internal team to focus on innovation – not on day-to-day IT admin.

A survey by FIT and IDG found that enterprises that outsource their anti-malware and endpoint protection have lower infection rates than those who manage these items in-house. In fact, 81 percent of enterprises that use MSSPs have infection rates of 3 percent or less. Meanwhile, just 63 to 65 percent of companies that use other security methods – such as a coordinating response teams or distributed incident response teams – have incident response rates of 3 percent or less.

9 Questions to Ask Before You Hire a Managed Security Services Provider (MSSP)

Choosing the right MSSP can be overwhelming. Many of them sound similar on paper, which makes it hard to determine if they can meet your business and IT needs.

Here are nine questions that will help you identify the right MSSP.

1. How will they handle your sensitive data?

Get clear on your security goals and requirements before you speak with an MSSP. For example, do you need to store any of your data on premises? Does some of your data require different levels of control and protection? Must you comply with General Data Protection Regulation (GDPR)?

Then, determine if your MSSP will meet your needs? Also find out what will happen if your MSSP gets hacked. How will they respond? How quickly will they notify you of the breach? What are their legal requirements?

2. Do they have extensive experience with incident response?

Ask how many incidents your MSSP has worked, along with their severity. For example, has the Federal Bureau of Investigation (FBI) or the United States Secret Service ever been involved?

Incident response may involve teams that are outside of your enterprise, such as law enforcement and legal counsel. Ask if your MSSP has experience working with these groups. Can you trust them to serve as a go-between and work with legal counsel to protect your employees?

3. Can they share client success stories?

Does the MSSP have stories about how they’ve helped customers? Find out if they work with other companies in your industry or ones that have similar IT environments. Also ask if they’ve helped CIOs achieve the same results that you want to achieve?

The stories can give you an idea of how well the MSSP solves problems. For example, do they only do the bare minimum, such as reporting a breach? Or do they take steps to clean it up? Look for an MSSP who will treat you like a partner – not just another ticket that they need to close.

4. What can they provide in terms of credible, detailed references?

You may not be able to speak with a customer reference, as most enterprises won’t put themselves at risk by discussing their security challenges or which MSSP they use.

But there are other ways to find out if your MSSP is credible. For example, they can show you endorsements from leading IT vendors. They can also give you a list of their certifications to prove that they keep their skills and technologies up-to-date.

Also, be sure to Google the name of your MSSP plus “breach” to find out if any of their customers fell prey to a cyber attack or other form of data loss. A quick Google search can pull up items that you don’t hear about in the news. After all, you don’t want to hire an MSSP and later find out that they were involved with a major breach.

5. Do their breach detection and remediation processes analyze every trouble ticket?

Many MSSPs simply turn on the lights and bill you. For example, they use tools to track trends and only declare a problem after impacts your environment.

Make sure that your MSSP automates their ticket generation and logs all of their work. This increases your accountability and ensures that your MSSP will declare problems on a technical basis, not a subjective basis. That way, your MSSP can’t ignore problems until they turn into a security incident.

6. Does the MSSP use leading endpoint protection technologies?

Your MSSP should not only offer the latest technologies but also use them internally. If they rely on technologies that are three generations old, how can they provide you with quality service? Ask your MSSP what tools they use for their customers and for their own IT environment. Also ask how they keep current with the latest security best practices.

For example, beware of a vendor that relies heavily on anti-virus tools, as they offer little protection from today’s sophisticated threats. Instead, choose an MSSP that offers advanced endpoint protection to keep malware from getting onto your enterprise’s computers and devices.

7. Do they have experienced staff in your time zone(s)?

Your security risks increase during the hours that your employees work. It’s critical to choose an MSSP who keeps similar office hours. That way, they will be available when you are at your most vulnerable.

8. Does your MSSP have qualified employees?

The IT skills shortage doesn’t just impact enterprises –it also impacts MSSPs. Many vendors struggle to find qualified employees, so they hire whomever is available just, so they can get billable hours.

Make sure that your MSSP assigns skilled technicians to your account. If you use technologies such as SAP or Cisco, look for an MSSP who is a certified partner. That way, you can rest assured that your MSSP has people on staff who know how to implement and run your core systems.

Your MSSP’s team should also keep their skills sharp. The cybersecurity world changes rapidly, so it’s critical that your MSSP stays on top of the latest trends.

Ask your MSSP how they expand their knowledge. For example, do they attend conferences such as Black Hat USA to learn about the latest threats and best practices?

9. Does your MSSP standardize their offerings?

Look for an MSSP that offers packages at transparent rates. Also get clear on how your pricing will change as you add more services or your IT environment expands in the future. Many MSSPs offer a low base price, but their fees quickly escalate as your environment grows.

Are You Ready for the Next Generation of Cyber Threats?

The cybersecurity skills gap will likely get worse before it gets better.

Cybersecurity Ventures predicts a global shortage of 3.5 million qualified professionals by 2021.

Working with an MSSP can help you keep your environment secure – while you free up your internal IT team for more strategic projects. The right MSSP won’t just email you when they detect a threat; they will help you identify gaps in your security and put you on a path that will minimize your risks.

Learn more about how to keep your enterprise’s data and devices secure. Download Why and How to Block Security Breaches at the Endpoint.

You can also contact us today to discover how we can help you make your IT environment secure.

Related