It’s not surprising that many companies in a range of industries are hiring managed security service providers (MSSP) to manage their specific security initiatives or outsourcing their entire security program to an MSSP. An MSSP can take care of the routine and emergency security issues 24/7, issues which can easily overwhelm a small- or medium-sized company’s in-house IT department. Outsourcing a security program can be beneficial to companies with limited IT personnel, struggle to hire security staff, lack internal expertise in security, or plainly don’t have the number of IT employees necessary to implement a large security program. However, if you are going to hire an outside MSSP, it’s important to consider them carefully. Since your goal is to have them handle your sensitive data and file storage, a thorough evaluation following best practices will ensure your company’s continued growth and success as well as save your peace of mind.
What considerations should you pursue when looking to hire a managed security service provider? What standards set the best companies apart? Are there specific questions to ask potential MSSP candidates when interviewing them? Here are the questions that top security professionals recommend businesses ask when looking to partner with an MSSP.
1. What are They Going to Do for Your Organisation?
When looking to partner with a business, a good managed security service provider will examine the firewall, patching and anti-virus software, as well as have a holistic approach to protection. A good MSSP will talk about implementing security including:
- Management – risk management, procedure, policy, auditing, process, training, reporting and education
- Adaptability – culture, industry, backup, business continuity and resilience, and disaster recovery
- Technology – firewall, wireless, UTM, best practices, VPN, and patch management
- Compliance – additional standards or regulations such as GDPR, etc.
2. Do They Have the Right Expertise?
Not all MSSPs have the same training and certifications. Not all staff are trained or have experience on the same brands of hardware or software. It’s important that you hire an MSSP that has expertise in the specific make and model of PC that your company uses. They also need to have enough employees with the right education and training to work with your routine and emergency IT issues. Look for credentials including Premier Partner, Gold Certified Partner, Partner of the Year, Mid-Market Specialist from manufacturers they work with. Partner recognition awards are a good indication of a high level of competency.
Rely on references from recently deployed customers, who are of the same size, in the same vertical, and with similar challenges to what you currently have. Have in-depth conversations with the references. (Ken Baylor, PhD)
3. Do They Have the Capability?
Are they big enough with the number of support staff you need? Are their people trained and certified at every level of the organisation to service clients in the manner that you need? Do they understand your industry and any industry-specific issues you have? Can they support your business 24/7? An MSSP that specialises in health care services may not be a good fit for a manufacturing company. IT systems may be similar, but jargon, slang, abbreviations are different, and each industry may have specific regulations to comply with.
4. What Do They Recommend Changing to Improve Security?
Do they value the investment you’ve already made in your IT systems? Do they recommend logical changes or upgrades to improve your security? Or do they require changes because they can’t support your current system? It’s important to find a company that will mesh with yours, make your job easier and save you money and time.
5. What Benefits Does Your Company Receive from the Partnership?
Outsourcing digital security to an MSSP is a partnership. The MSSP is there to protect your data, and your infrastructure. They are helping you protect your clients and staff. Having a service level agreement (SLA) in place will clearly lay out the responsibilities of everyone involved.
6. How Much Will It Cost?
Costs vary depending on the level of security you need and scale of service you need. However, costs should be clearly listed upfront without any changes for a monthly contract. Any changes to your costs should be approved before the work is done and billed. Costs include management, monitoring and reporting which are all in the SLA.