Many companies today are hiring managed security service providers (MSSP) to manage specific security initiatives, or in some cases, outsourcing their entire security program to an MSSP. This approach is especially beneficial to companies that have limited IT resources, lack internal security expertise, struggle to hire security talent, or simply need to implement a security program faster than they could in-house. However, there is much to consider when evaluating and hiring a managed security service provider - after all, you're placing your company's security posture and most sensitive data in the hands of a third-party provider. Following best practices in choosing an MSSP is absolutely critical to your company's long-term success. Due diligence at the hiring and evaluation stage will serve you well and save your organization both costs and peace of mind going forward.
But what should you be looking for in a managed security service provider? Are there industry gold standards that set the best of the best apart from the so-so MSSPs? What questions should you ask potential MSSPs before partnering with an outside company and placing your enterprise's well-being in the hands of another? We wanted to see what criteria today's security professionals recommend for businesses looking to partner with a managed security service provider, so we asked a panel of experts to answer this question:
"What are your the most important considerations when evaluating and hiring a managed security service provider?"
See what our experts had to say below:
Meet Our Panel of Security Experts:
John Penland
John Penland is the founder of InfoTech, a managed technology service provider for small and medium size organizations. He has worked with organizations of all industry types including healthcare, law, real estate, graphic design and many others. His passion to help others overcome technology barriers combined with managed services has allowed companies to forget about technology administration and focus on business growth.
My advice for companies hiring and evaluating a Managed Security Service Provider is...
Finding the right Managed Security Service Provider is just as important as finding the right staff for your business. In order to provide exceptional value, a provider must first understand their customer’s business model. This helps providers develop a rock solid solution that can create a long lasting, happy customer. Before a provider can recommend solutions, they must first ask about the customer’s business and make sure they have a clear understanding of what the customer needs. Without this critical information, the solution is just a sale and they are setting themselves, and more importantly, the customer, up for future problems.
Roger Smith
Roger Smith is an independent ICT and business security consultant, Amazon #1 Best Selling Author, Experienced Cybercrime and CyberSecurity Expert, Speaker, and Trainer who specializes in inexpensive and highly effective security strategies for small and medium businesses and not-for-profit organizations.
When it comes to hiring and evaluating a Managed Security Service Provider, I recommend...
There are huge benefits to getting a reputable organization to manage your digital security. There are also a large risk management component and a due diligence process to follow to ensure that you are getting the best available service. The outsourcing of your digital security involves an in-depth discovery process. It is not one of those decisions that is solely based on price and cost. Getting the right outsourcing company with the best reputation is critical to your organization's viability. Making a bad decision or deciding on one provider based solely on cost can cripple your business. These are the areas that you should look at prior to looking at the cost component:
1. What are they going to do for your organization? A good Managed Security Service Provider (MSSP) will not only be looking at your firewall, anti-virus, and patching, but will have a holistic outlook on how they protect their clients. A good MSSP will ensure that they are in a position to implement security change to create a more holistic outlook on protecting your organization. That holistic outlook takes the following into account:
- Technology - UTM, firewall, wireless, VPN, best practice and patch management
- Management - policy, risk management, procedure, process, auditing, reporting, and training and education
- Adaptability - disaster recovery, business continuity, business resilience, backup, and culture
- Compliance - if you have done the above, compliance is relatively easy
An MSSP will have the empathy and understanding to ensure your organization is protected.
2. Do they have the expertise? Most Managed Security Service Providers focus on one or two types of technology in specific areas. They may have a focus on Cisco or WatchGuard or a specific AV, or a specific make and model of PC. This level of specification ensures that the MSSP has the right level of education, training, and capability within it ranks. A good MSSP should have people who are experts in one or more areas of digital protection; if they do not, then talk to another MSSP.
3. Do they have the capability? Most MSSPs have the capacity to manage clients. They will have trained people at every level of the organization to ensure that they are servicing their clients to the best of their capability. When it comes to capability, the MSSP should have staff with professional qualifications to support your business.
4. What are they going to change to make your life easier? There are changes that will be recommended by an MSSP for two reasons:
- The systems that you have in place are not doing the job that they should be doing and need to be replaced with systems that are more secure.
- The systems that you have in place cannot be supported by the MSSP because they do not have the expertise on staff.
So if you have recently invested $10K in a firewall, and they want you to replace it with another one worth the same, then you probably have the wrong MSSP.
5. What benefits are you going to get out of it if you PARTNER with them? The outsourcing of your digital security to an MSSP is a partnership. They are there to protect your data, your infrastructure, your clients, and your staff. You pay them to do that. Make sure that all parties involved understand their requirements by putting a service level agreement (SLA) in place. No SLA, then no contract.
6. How much will it cost? Finally, we have the cost. You should always know how much your monthly digital security cost is going to impact your organization. If the monthly cost is going to change, then once again you should be looking at alternatives. The cost of a MSSP SLA should include monitoring, management, and reporting; it will not include projects that are outside the scope of the SLA.
There you have it. If you employ a MSSP based solely on how much it will cost, then your organization will not have the right digital protection. There are a large number of organizations out there who think that they are MSSPs but lack the expertise, capability, and understanding that is required to protect your organization.
Brian Laing
Brian Laing is an executive at IT security innovator Lastline. An entrepreneur and on the frontline of the security industry for more than 20 years, Brian is a leader in strategic business vision and technical leadership, shown through his work with a range of start-ups and established companies. Brian founded RedSeal Networks as well as Blade software, who released the industry’s first commercial IPS/FW testing tools.
My suggestions for companies hiring and evaluating a Managed Security Service Provider are...
The key to evaluating an MSSP is to first codify your requirements. For example: Do you need them to simply watch alerts during off hours when your own staff is not available? Do you need advanced skills or experience that your team does not currently have? Is your company part of a vertical that may have specific requirements? These are very different requirements that do not simply help you decide who might be better; they may completely remove a vendor from the selection process. Many MSSPs will simply offer lower-end, semi-skilled labor to monitor events. They add little to no value on top of this; they are simply a body shop offering economies of scale. If that is your need, then great, you have found a match! Many companies, however, are looking for advanced cyber skills they may not be able to attract full time, or their market vertical may have specific needs. If you have an outbreak, do you need forensics work or do you simply want to wipe the machine and hope for the best? These detailed needs must be verified with the MSSP.
Ian Trump, CD, CPM, BA
Ian Trump, CD, CPM, BA, is an ITIL certified Information Technology (IT) consultant with 20 years’ experience in IT security. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF MP Reserves and retired as a Public Affairs Officer in 2013. His previous contract was managing IT projects for the Canadian Museum of Human Rights. Currently, Ian is Security Lead at LogicNow working across all lines of the business to define, create, and execute security solutions to promote a safe, secure Internet for businesses worldwide.
Companies that are hiring and evaluating a Managed Security Service Provider should consider...
Unfortunately, there is no “Open Table” for Managed Security Service Providers, but like most things you purchase with a long-term commitment, reputation of the provider is probably the most important.
References = reputation. A key part of making decisions when it comes to hiring is the reference check. So my advice would be to ask for a couple of references from your potential MSSP. Not just letters, but the business owner’s contact information. You need to ask frank questions, as engaging with an MSSP will be a significant expense and hopefully a long-term relationship.
When evaluating the MSSP, you need to know whether they have some experience in your particular vertical. An MSSP that specializes in health care services may not be a good fit for a logistics and transport or manufacturing company. It’s not that IT systems are dramatically different; it really is about the language, slang, and abbreviations used in those industries and the ability to communicate with that client's users.
Lastly, when contracting the services, I would approach negotiations as a partnership and use language which provides mutual benefit, measurable deliverables, service level agreements (on both sides), and dispute resolution mechanisms. A 30-day, no-fault termination with a reasonable notice period and clear understanding and agreement on the final costs associated with termination need to be detailed.
If you consider the MSSP arrangement a relationship then approach it in that way. Mandate monthly checkup meetings or calls to discuss performance, outstanding issues, and upcoming projects. Clients nor MSSPs enjoy surprises.
Dan Adams
Dan Adams, CEO of New England Network Solutions (NENS), is a serial entrepreneur who ran his first retail operation in high school. He founded NENS in 1993 and over the years, owned and managed several start-up companies. Dan is passionate about sharing his success strategies with fellow entrepreneurs and is a frequent IT conference speaker. NENS is a top rated MSP by MSPMentor and is one of Boston's top IT Services companies.
My tips for getting the right MSSP for your company are...
1. Review Their Policies - How organized and documented are their process and procedures? This is very important and often overlooked. If they are not clear, then their ability to fulfill the services they are promising you is not reliable.
2. Technical Team - Do they have a technical team that regularly reviews their technology standards and processes? Technology security threats are constantly evolving; you cannot simply set a policy and standard then walk away. It needs to be alive and organized, and it needs to be more than just a couple of people.
3. Do They Have Standards - Do they have certain products (HW/SW) they use for service, or are they open to whatever you have? To be effective, you need to set clear standards. A service provider needs to have clear standards, processes, and procedures as well as a training program to make sure all support staff deliver what is being promised to your company. If the service provider supports too many technologies, you have to question how well they really know them. Fit is key here.
4. Trust - What do their clients say about them? Do their clients love them, and are they willing to go to bat for them as a referral or testimonial? It’s all about customer service and caring about your company. Many owners believe MSSPs can be replaced at the drop of a hat, but in fact, both the relationship and trust must be built and sustained. This is a vital component to getting great long-term service.
In summary, the desire to push the security responsibility to another is very clear and understandable, but due diligence is vital here to getting the right provider. You need to see that providers have the vision, standards, systems, and training/culture to actually fulfill what you are looking for; otherwise, you will fall into a cookie cutter service which won't be optimal.
Alex Markowitz
Alex Markowitz is a Systems Engineer for Chelsea Technologies, a managed IT services firm that provides design, implementation, hosting, and support services to the global financial industry. Alex has over 10 years of IT experience in the financial sector.
For those who are unfamiliar with the world of IT security, be sure to consider the following basic tips when deciding on a Managed Security Service Provider...
1. Be sure you understand what you require and what you are paying for. Often, clients will ask for support that is outside of the scope of their contract, not because they were misled when signing the contract, but because they weren't sure what they were signing. There are many different parts of a network that require security, and you do not need to understand what everything is, but ask questions and never do business with anyone who does not answer concisely and clearly.
2. A cheap MSSP is a bad thing! An MSSP with a good reputation, experience, and clear plan is what you need.
3. Get references! Any confident MSSP will be happy to provide them.
4. Ask questions and get a clear understanding of what the day-to-day interactions will be like. Understand what the discovery period will be like. Be sure to understand what the quarterly/monthly reports will include. Be willing to work with the MSSP in order to get the protection and alerts that you need, and understand that both sides will need to be flexible for the first few months.
5. Security is the responsibility of you and your employees! Just having a good MSSP by your side is not enough; security is an imperative for all involved. Educate your employees and never be gentle regarding internal security!
Spencer Coursen
Spencer Coursen is a combat veteran, expert security consultant, threat assessment advisor, and protective intelligence strategist. Over the course of his diverse career he has advanced, planned, and led more than 300 protective missions to 163 different countries. He is the founder of Coursen Security Group, which empowers clientele on how to most effectively reduce risk, prevent violence, and enhance the certainty of safety for all involved.
I offer the following tips for companies seeking to hire and evaluate a Managed Security Service Provider...
Today’s businesses are turning to managed security services providers (MSSP) to alleviate themselves of the daily concerns related to information security. These providers help companies safeguard against malware and customer data theft as well as resource constraints that may stem from a direct-hire skills shortage.
Functions of a managed security service include round-the-clock monitoring and management of intrusion detection systems and firewalls, overseeing patch management and upgrades, performing security assessments and security audits, and responding to emergencies. There are products available from a number of vendors to help organize and guide the procedures involved. This diverts the burden of performing the chores manually, which can be considerable, away from administrators.
Your specific business needs will determine the order of priority, but the following are best practices to consider when vetting and evaluating a MSSP vendor:
Vetting
Ask for copies of third-party evaluations and audits to ensure your vendor has a strong history of delivering on promises.
Seek out referrals for other clients. Ask for pros and cons of past performance. Trust but verify certifications and other industry credentials.
What is their threat methodology, and how does that methodology translate to effective protective intelligence?
Determine if, how, and where your sensitive data is stored.
Ask for copies of third-party evaluations and audits to ensure they can deliver on their promises.
Ensure vendor neutrality to avoid/defend/prevent conflicts of interest.
Ensure a sound and seamless exit strategy from their services.
Evaluating
Be mindful of the "bait and switch" management model. Review the staffing structure with non-patterned frequency. Are incidents handled by junior members and then elevated to more senior managers, or are the initial concerns handled by senior managers who pass along the assessment to more junior evaluators? Both models have pros and cons, but be sure you’re getting the solution that is best for YOUR business, not theirs.
What you measure, they will meet. You set the standard, not the provider. A good provider will strive to exceed your expectations, not meet them. Ensure that what you are receiving is what you want. Inspect what you expect and you will never be caught off-guard.
Ensure transparency. Continually seek validation regarding the providers own security posture. Transparency stems beyond what they do for you. It also includes how they do what they do for you.
Regardless of circumstance or scenario, it’s important to keep in mind that imaginations will always be bigger than budgets. Whatever services you decide to hire should be an appropriate, effective, and measured response in direct relation to a realistic threat assessment.
Venkatesh Sundar
Venkatesh Sundar (Venky) is the Chief Technical Officer at Indusface. He is responsible for product development, client services, and support for Indusface's application security. Venky has dedicated 15 years to security software industry. In the past, Venky held leadership and management roles in Professional Services and Product Development at Entrust.
My advice for companies hiring and evaluating a Managed Security Service Provider is...
Managed Security Service has evolved closely with cloud security. As organizations look to outsource their web application security burden, they also expect expert assistance in monitoring, prioritizing, mitigating, and reporting attacks in real-time.
A highly informed, trained, and proactive team of managed security experts is the first thing organization decision makers should focus on. People with experience in Certified Information Systems Security Professional (CISSP) and Computer Hacking Forensic Investigator (CHFI) will bring great value to the table.
Other than that, availability of custom security assistance is also critical. Managed Security Services should ideally include custom validation of business logic flaws and policies to block such attacks on the website. If everything is limited to automated services, and the security provider is unable to offer custom security checks for business logic flaws, it’s no different from automated security at the price of managed security.
Carl Mazzanti
Carl Mazzanti is the founder and CEO of eMazzanti Technologies, a premier IT consulting firm throughout the NYC Metro area and internationally. A frequent business conference speaker and technology talk show guest, Carl has often contributed at Microsoft-focused events, including the Microsoft Worldwide Partner Conference (WPC). His clients have been featured in over 60 Microsoft videos and case studies.
My number one tip for companies that are hiring or evaluating a Managed Security Service Provider is...
If software and hardware manufacturers like Microsoft, HP or Xerox think highly of the MSP, then you can bet they are competent and well-trained. Look for credentials that include Gold Certified Partner, Mid-Market Specialist, Premier Partner, Partner of The Year, etc. Numerous IT partner recognition awards indicate a high level of competency.
Carlos Pelaez
Carlos Pelaez is the National Practice Leader for Coalfire’s practice area focused on serving Service Organizations and Internal Audit departments. He provides the framework and methodology to local audit teams so that they may be well equipped to validate compliance and cyber security needs for cloud based solutions.
When hiring and evaluating a Managed Security Service Provider, the two best things to look for include...
1. Make sure they have completed some form of IT audit, risk assessment, or cyber security review. Because the service provider will manage your systems, they will have access to your data, operating systems, applications, and overall environment. You want to make sure you are placing your trust in an organization that has been reviewed by an objective third party. The Service Organization Control (SOC) report is great; a SOC 2 is what you should look for and not a SOC 1, which is more geared around financial transactions.
2. It can be very easy to hire someone and forget about it. Instead, you need to understand the boundaries of the system that you are handing over. What exactly are they responsible for, and what are your responsibilities? During the excitement of the procurement process, it can be easy to forget about this very important step. Using a data flow and IT architecture diagram is a great way to ensure a clear understanding of the system is designed and how the managed service will wrap around it.
Ken Baylor, PhD
Dr. Ken Baylor is recognized as a leader in Data Protection, Bank Security, Agile Information Security and Regulatory Compliance. His recent speaking engagements include RSA, Blackhat, ISACA-CACS and FS-ISAC. Ken has deep technical security skills. Ken is a business-focused CISO, and served in that role for four organizations. Dr. Baylor is a Certified Information Systems Security Professional (CISSP) and a Certified Information Systems Manager (CISM). Presently, Dr. Baylor serves as Chief Security Officer for Pivotal Software.
My top tips for companies seeking to hire or evaluate Managed Security Service Providers are...
1. Don’t focus on the perceived prestige of the MSSP; focus on those with deep domain expertise in your vertical area (e.g e-commerce, financial).
2. Ensure they can fully support your roadmap: if you have major cloud initiatives, an agile MSSP with expertise in both public and private clouds is necessary.
3. Not all your technologies may be supported. Ensure the MSSP can provide comparable controls at a reasonable price.
4. Rely on references from recently deployed customers, who are of the same size, in the same vertical, and with similar challenges to what you currently have. Have in-depth conversations with the references.
5. Negotiate the contract well, especially when it comes to service level agreements, notifications of incidents, and the definitions of what constitutes an incident. Specify how damages will be calculated in the contract on your terms, as harsh penalties deter MSSPs from breaking contracts.
6. Do not take a ‘big bang’ approach by surrendering your in-house security. Let the MSSP and your Security Operations Center (SOC) co-exist and pass your expertise and procedures to the MSSP. Ensure they work in the manner that benefits your company, rather than expecting a busy MSSP to work in your interest.
7. Have an ‘out’ clause built into the contract from the start, and ensure you have the capability to take back the security reins if required.
Mike Patterson
Mike Patterson is the Vice President of Strategy for Rook Security, a provider of global IT security solutions offering security strategy, crisis management, and award-winning security operations services for its clients. Mike's responsibilities at Rook Security include direction of internal strategy, finance, and account management. Founded in 2008, Indianapolis-based Rook Security is the 9th fastest-growing security company in the nation and recently earned a spot on the Inc. 500. Prior to joining Rook Security in 2013, Mike was a Sales Planner for Turner Broadcasting and a Consultant for Monitor Group. Mike has a Bachelor of Business Administration in Finance and Marketing from The University of Iowa – Henry B. Tippie College of Business.
Companies should look for the following qualities when hiring and evaluating MSSPs...
Scalability: MSSP models can be inflexible at best, and opaque at worst. Insist on a program that flexes both ways if your environment shrinks or grows in size, either by a spinoff or a merger. Most MSSP pricing models do not scale anywhere near as well as they do with cloud. Make sure your candidates can scale down as easily as up.
Flexibility: Unfortunately, security budgets do not grow on trees...especially mid-year. An unexpected hiccup such as a hefty incident response forensics bill or a budget cut can throw a real wrench into your plans and force you to make adjustments. Know where your MSSP can work with you to throttle back services that are underutilized or not as important with your new budget situation. Can you pay for new services by tuning down your usage of another service, or only by spending more? If you are not using a service enough, can you roll that excess into a service where you are?
Adaptability: You have invested a lot of money in your security technology, not to mention internal credibility with your finance and infrastructure teams. Insist on an approach that incorporates your existing investments as much as possible. Ripping and replacing should be a last resort and only because new technology would be clearly superior to the status quo. MSSPs may have some great stuff, but they should wrap around and bolt onto as much of what you have as possible before they start to peddle anything new or discuss upgrades.
Adding value: Is your MSSP going to throw you alerts or hand things off to you on a silver platter with advice, analysis and additional research? Ask to see samples of incident notification and other communication. It should be more than just recycling output from your enabling technologies.
Mark Rocchio
Mark Rocchio is the Digital Marketing Coordinator at VectorUSA.
In terms of choosing the right Managed Security Service Provider, companies should consider...
When contracting with a managed security services consultant, you’re basically signing over some or all control of your security system to an outside entity. This is a double-edged sword. On one hand, a knowledgeable consultant will alleviate the daily pressures related to security management ranging from data storage to maintenance. On the other hand, the wrong consultant will make your security system an ineffective, ever-lasting headache.
First and foremost, a managed security service consultant should serve only the best interests of you, the client, with no potential conflicts. With that said, one of the many difficulties in choosing the right consultant is that the field of security is incredibly broad. Security is made up of scores of disciplines. Few companies are expert in all fields that include perimeter defenses, access control, security policy and procedure, training, intrusion detection, and systems integration.
Consultants with great breadth of knowledge are valuable in seeing the overall picture and identifying the best practices. Consultants with depth of knowledge may be better at providing specifications for specific electronic hardware that will best fit your requirements and compatibility needs. A top-drawer security consultant will be agnostic in their approach to your security needs. They will not be so entrenched with a vendor or system that they cannot give you the best solution to fit your needs.
The right security consultant will bring a broad range of knowledge and offer comprehensive technology and policy solutions tailored to your unique set of issues. The right consultant for you will construct a well-written RFP that includes disclosure of any monetary or other link between the consultant and any vendor that may be considered for the proposed work. A top-notch vendor will also allow for a period for them to submit questions prior to the proposal due date. The questions they ask may hint at their expertise. Above all, a competent security consultant will deliver on every promise and make sure that you, the client, is satisfied with all work.
Jeff Huckaby
Jeff Huckaby has worked in IT for nearly 20 years. While studying genetics at Yale University, he became interested in open-source technologies. In 2006, he founded racKAID, a MSP managing open-source hosting solutions. In 2013, MSPMentor named him as one of the world’s top MSP executives. When not working, you will usual spot him on his bicycle, at his favorite coffee shop or watching his favorite kung-fu movies.
My top tip for companies hiring and evaluating a Managed Security Service Provider is...
Don't leave any gaps, especially when it comes to IT security.
When you go on vacation, do you lock all of your windows but leave your door wide open? Of course not, but I've seen businesses do this with IT security.
Too often, security is just a reflex to some unfortunate incident. If your website was hacked, you turn to web application security vendors. If viruses came through email, you look to email security provider. Such an approach always leaves gaps.
How do you avoid gaps? A security audit. So when talking with potential security vendors, ask about security audits. Some may provide basic audits at no or little cost. These audits are your blueprint to sealing all security gaps in your business. Without them, you may just be leaving the door open while locking all of your windows.
Scott Dujmovich
Scott Dujmovich is an Electrical Engineer from Purdue University with 17 years of IT executive experience. Golden Tech is an IT Solutions company specializing in technology consulting, managed services, and IT projects. As an IT executive and consultant, Scott has spent the last 17 years meeting with small-to-midsized companies in various business sectors. He regularly guides companies on how to utilize their IT budgets to get the best ROI in terms of financial return and company efficiency.
The first question I would ask of a prospective MSSP is...
Whether the MSSP runs background checks on its employees. It’s important to know, if you’re putting your network security in the hands of a third party, that they run regular background checks. Secondly, I would ask what their process is for how they are securely accessing my network. Are they requiring two-factor authentication, individual administrative access, and a high level of encryption in doing so? I would also ask for how the MSSP handles breaches. Breaches can happen, unfortunately, if someone is trying hard enough to compromise your network. The best MSSPs have processes and communication standards in place for how to handle critical situations.
Bob Herman
Bob Herman is the Co-Founder and President of IT Tropolis. He is an engineer with over twenty-five years of professional working experience. His areas of expertise include technology implementations, project management, IT operations, business continuity, data center/server room design, server sizing & optimization, network topology, remote connectivity and virtualization technologies.
My top tips for hiring and evaluating MSPs include...
1. Your MSP should use a software management platform/system. Ask the MSP which platform they use to ensure they're not simply winging it.
2. You should not be required to sign a long-term contract unless h/w is being supplied in a HAAS model, e.g. for backup and disaster recovery. While (30) days' cancelation notice is normal, an MSP that wants you to sign a long-term contract may be a sign of poor service, thus they need to lock you in.
3. Your MSP should provide a monthly summary report covering managed systems, for example, processor and memory utilization, hard disk consumption and warranty status.
James Tauer
James Tauer has been in IT consulting since 1997. He has made his way up the IT ladder starting from a computer installer to providing CIO services. He currently works for Total Technology Solutions in Melville, NY, providing technical consulting and advisement services.
My top tips for companies that are hiring and evaluating Managed Security Service Providers are...
1. Most important - Staff/Employee Cyber Education. According to the Online Trust Alliance, 90 percent of data breaches cloud have been prevented. Twenty-nine percent were the result of employees (malicious or accidental); additionally, 18 percent were due to lost or stolen equipment, and 11 percent were the result of social engineering attacks or fraud. A business can spend thousands on security hardware and software, and it will mitigate your risk, but the best prevention is to educate your staff on what they can open, what they can click on, what should be suspicious, how to protect confidential information, and how to notify your organization. Lastly, have them sign off on their education.
2. Collaboration - A Managed Security Service Provider (MSSP) should never tell a client or potential client, "We will take care of everything for you." It is a collaborative effort. A business owner/decision maker must understand that their time will need to be invested also. Your MSSP should be explaining this. Do not leave everything to your IT company or your IT department. The service needs to be a partnership. Any company can create written IT policies, or provide services for vulnerability testing, network scans, etc., but if the business is not involved, nothing is learned, policies collect dust, and your business is just as vulnerable as it was before.
3. Do you know where your data is? Your business must understand where their data is, especially PII and PHI. A MSSP can provide Data Loss Policies (DLP) but cannot apply these policies to everything across the board. Your MSSP should provide hand-holding or questionnaires to help provide this information, but it is your data and at the end of the day, your business is responsible and liable, not your MSSP.
4. Not if, but when - Your MSSP should guide your business with response and recovery policies. They should understand your federal and state cyber laws, your compliance regulations, who needs to be notified of a breach and when, or if you need to notify anyone at all.
5. Continuity - This services needs to be continual. Laws and compliance regulations change. Cyber-attacks continually change. Employers hire new employees. Your MSSP should work with you every 90 days on updating any written policies, reviewing your intrusion prevention logs, security logs, antivirus/antimalware reports, asset inventory, permissions inventory, user inventory, etc. Your staff education should be updated and formal training provided on a yearly basis (including a new employee cyber security orientation).
Joy Montgomery
Joy Montgomery of Structural Integrity got her start at business systems analysis in IT and is now a consultant helping companies discover the gaps in their operations. For the Cleantech Open, Montgomery is the National and Western Division Alumni Chair. Solving problems and connecting people are fun for her.
My advice for companies that are hiring and evaluating a managed service provider is...
Outsource locally to someone who is responsive. You don't expect them to drop everything every time you need anything, but it's good to have them nearby and flexible when you do really have an emergency. Get recommendations from people you respect for at least three service providers and find out why they like them. If the reasons they like them are meaningful to you, put them on your list. Try to meet with each of the recommended service providers on your short list. Surprisingly, not everyone responds to a referral promptly. If you don't get a response in a reasonable time, that tells you something important — move on.
Ondrej Krehel
Ondrej Krehel is the founder and principal of LIFARS LLC, an international cybersecurity and digital forensics firm. He's the former Chief Information Security Officer of Identity Theft 911, the nation's premier identity theft recovery and data breach management service. He previously conducted forensics investigations and managed the cyber security department at Stroz Friedberg and the Loews Corporation. With two decades of experience in computer security and digital forensics, he has launched investigations into a broad range of IT security matters, from hacker attacks to data breaches to intellectual property theft. His work has received attention from CNN, Reuters, The Wall Street Journal, and The New York Times, among many others.
There are a few considerations companies should keep in mind when hiring and evaluating a MSSP...
1. Quality of service - Organizations have to decide if they want a cyber security supermarket service provider or a boutique, higher-end outfit. This will also determine the level of service you will be getting and the quality and personal involvement of provided professionals. Fortune 100 is now looking more into boutique, even more expensive outfits with very close connections. Security is a matter of trust, and executing on promised delivery with high quality and deep, detailed precision is expected. Security supermarkets struggle to deliver higher-end service; therefore, the smaller outfits have room to play now.
2. Elite Team - Review bios and involved professionals, not just the name of the firm. You do not have to go deep, but a good name does not guarantee that the professionals working on your particular case are of high quality. Have everyone's bio, and interview some of the company's team members. You want a team that wants to be rock stars tomorrow and is willing to prove it. Hiring rock stars might not be the way to go if you are on a tight budget, but if you go with rising stars, you might be able to get rock star-type people for less.
3. Due diligence on firm reputation - Ask their clients, Google, friends, and anyone that knows the firm about what they liked and what was outstanding. Pros and Cons. The Internet is your big friend here, since we live in an era of sharing our dreams and thoughts.
4. Financials - Be sure the pricing is correct, although fluctuations are now around 50 percent on the market. Ensure that you know what you are paying for, as well as what is and isn't included. Read the contract carefully.
5. Insurance - Review the company's insurance coverage, especially General Liability and Errors and Omissions.
6. Your feeling - If your instincts about the proposed services and team tell you otherwise, do not engage — instincts can go a long way.
Sean Dendle
Sean Dendle is a technology entrepreneur who has been working in IT from the age of 15. Sean established Cymax in 1996 to provide IT support to Brisbane businesses. It has since evolved to provide cloud services specifically tailored to companies Australia-wide. In 2011, Cymax was awarded as one of the top 10 service providers within Australia and in 2013 was recognised as one of the top 501 managed service providers internationally by MSP Mentor.
I have five important lessons for companies hiring or evaluating a Managed Security Service Provider...
In the past year, the business world has learned a lot from the emergence of powerful cyber threats and attacks that have become more prominent and malicious. With an abundance of corporate security concerns and leaked information left, right, and centre, it's easy to see that no firm is safe — be it big, small, national or international.
Protecting your company's critical information from theft or corruption is an absolute must for any business leader. Each organization should strategically employ an experienced Managed Security Service Provider, in conjunction with an existing internal IT team. These combined forces should constantly monitor the threats lurking the virtual space and the risks that may directly target the actual business. While there's a lot of bad news to make light of, there are some ways to greatly improve the stability of your protection strategy.
1. Hand your IT security to those you can trust. Allowing a third-party to manage and monitor your systems can be risky, so it's important to place this control in the hands of someone you know won't take advantage of it. This information is integral to the success of your business, and by allowing someone to access it directly, you're allowing them to do what they will with it. If you do choose to employ a Managed Security Service Provider, make sure a confidentiality and classification of information agreement is thoroughly presented and agreed upon. Additionally, this party should be able to demonstrate significant experience within in the industry, understanding the many contexts that become apparent in this field.
2. Ensure your employees are aware of their responsibilities. Most organizations will have experienced a lack of understanding on their entire company's part, whereby employees are constantly accessing business information through their personal devices. Be it a laptop, smartphone or tablet, the information is highly confidential, and when property is misplaced, lost, or hacked into, all data falls vulnerable to threats. To avoid this, have an employee Code of Conduct in place towards the use of IT equipment and networks, including highlighting what they are allowed to access on the web when they are using it.
3. Clarify their claims of being an 'expert.' There's absolutely no hurt in further examining the expertise of a provider you're considering for your business. It's critical that their claims of experience, authority, and credentials are actually authentic; approach them with questions that will give you peace of mind, and don't be afraid to ask:
- What is their quality assurance process?
- Do they follow a change management framework in regards to security processes?
- Do they offer penetration testing as part of their service?
- Do they provide it themselves, or is it conducted by a third party?
- Can they provide a certificate of currency of indemnity?
- Do their engineers (and the company as a whole) carry a security vendor certification?
4. Walk the walk. It's not enough to put policies such as the above in place, without making use of them yourself as a business leader. You're not an exception. If staff are prohibited from accessing certain sites or from conducting certain activities on their personal devices through the business' network and platforms, then you are, too. You're likely to be the one dealing with the most sensitive information relating to the company, so you can't afford for it to fall into the wrong hands.
5. Your IT budget is there for a reason. If you've allocated a certain spend towards technology and equipment for your company, use it. It's now obvious that businesses are spending up to half of what they initially highlighted to spend on software, hardware, and equipment updates. With all of these being readily accessible and easier to set up than ever before, there's no excuse.
Paul Caiazzo
Paul Caiazzo is a cybersecurity expert, entrepreneur, and strategist. As Principal and co-founder of TruShield Security Solutions, Inc., Paul is responsible for developing corporate strategy and leading the technical product and service development efforts. Paul also is TruShield's Federal service lead and brings many years of experience solving complex cybersecurity challenges within the Federal space.
Here are a few key things to look for — and look out for — when evaluating a MSSP...
Cookie cutter or customer-centric? First and foremost, look for a company who is going to work to tailor the managed solution to your specific needs. So many providers offer out-of-the-box, cookie-cutter solutions, and unfortunately, these are almost never a perfect fit. What works for a large retail client may not be well-suited to a small credit union or insurance company. If your provider isn't willing to spend some time getting to know your organization and business process and tailoring alerts to you, at best, you won't get the maximum value from your spend, and at worst, your solution may not be able to do the job of actually protecting you.
Provider, or Partner? Along the same lines, many providers take a very hands-off approach. You likely won't hear from them outside of the regularly scheduled reports, which are typically emailed from a group account and neither presented nor followed up upon outside of that delivery. This isn't really helpful and doesn't represent good value for money. What you want instead is a Managed Security Services Partner, an organization that views itself as an extension of your staff, with dedicated engineers and a Client Account Manager who will help to ensure the solution you are paying for is doing what you need it to. Partnerships like this age like fine wine — the engineers and analysts will grow more and more familiar with you and your business over time, and as a result, the effectiveness and efficiency of the service will continue to improve.
Threat analytics - The most highly effective MSSPs are able to perform detailed threat intelligence and analytics through a few mechanisms. First, by drawing insights from threats affecting their pool of clients, they should be able to issue proactive guidance on prevention mechanisms which will protect clients B-Z from a threat which impacted client A. Additionally, the best MSSPs do their own research, either through malware analysis and reverse engineering, investigation into threat communication channels, or both. The information gleaned from these activities is vitally important to maintaining the upper hand and is not something all or even most MSSPs do.
Security focus or technology generalists? Many technology companies offer Managed Security Services, but we've often seen that customers of MSSPs who are dedicated to security are those most happy with their level of service. A technology generalist organization may have their Tier 1 staffed by HelpDesk technicians, who aren't sufficiently trained or experienced in security to be effective in the role. MSSPs dedicated to security usually take the time to hire, train, and retain talented staff. It may seem obvious, but a deep focus upon security will allow your MSSP to give you meaningful and actionable information that you can directly take to your operational environment for implementation.
On-Call, or true 24/7 - Many MSSPs will claim to offer a 24/7 service, when in fact their service is essentially an 8- or 12-hour shift with on-call staff supporting the after-hours effort. This is not really effective, and most certainly inadequate for any kind of SOC or monitoring service. You want to find an MSSP with a true 24/7 capability, and ideally one which will dedicate staff to your account.
Technology agnosticism - The best MSSPs are not there to sell you a device or technology; they're there to manage the device or application of your choice. Their solutions should integrate with the tools within your environment and if they don't, the MSSP should be able to commit to a timeline to integrate it.
By looking for an MSSP which meets these requirements, you can be sure that the investment your organization has made into managed security services will bear fruit.
Dale Tesch
Dale Tesch is a valuable member of the consulting leadership team for NTT Com Security, leading the US Advanced Security Operations Center (ASOC) Group and is a Member of the Global ASOC Leadership Team. Mr. Tesch has more than 15 years of experience building complex IT business solutions.
I suggest the following to companies that are hiring or evaluating Managed Security Service Providers...
1. Research the MSSP market and understand the support landscape for the service you are inquiring about.
2. Research the companies being considered; include financial stability and delivery experience.
3. Do not get hung up on price initially. Look at the service deliverables and align them to your goals.
4. Interview their support group and request resumes.
5. Determine their ability to customize support to your environment and policies.
6. Discover their operation locations and support hierarchy (Tier 1-4, etc…).
7. Ask questions about the ability to support in-country and price differences.
8. Have them explain each section of their contracts and service description.
9. Visit their SOC.
10. Believe nothing unless it is in writing — pre-sales commitments need to align to SOC operations capabilities.
Mike Meikle
Mike Meikle is a Partner at SecureHIM, a security consulting and education company. SecureHIM provides cyber security training for clients on topics such as data privacy and how to minimize the risk of data breaches. Meikle has worked within the Information Technology and Security fields for over fifteen years. He speaks nationally on Risk Management, Governance and Security topics. Meikle has presented for Intel, McAfee, Financial Times, HIMSS and for other Fortune 500 companies. He is also a published writer with articles that have appeared in American Medical News, CNBC, CIO Magazine, Los Angeles Times and Chicago Tribune. Meikle holds a Certified Information Systems Security Professional (CISSP), a Project Management Professional (PMP) and Six Sigma Green Belt.
While purchasing or evaluating a Managed Security Service Provider, I recommend that companies ask the following questions...
1. How many servers and endpoints can be monitored under the standard licensing agreement?
2. How long do they store system log files?
3. How much log file storage do they offer?
4. Do they service your specific industry?
5. What reports can they generate? Are they customizable?
6. What help or service desk systems do they integrate with?
7. Can tickets be automatically created for the customer service desk based on customizable criteria?
8. Will the MSSP sign a Service Level Agreement that includes the metric for ticket turnaround time from issue detection to customer service desk ticketing?
9. Does the MSSP integrate with industry standard firewalls such as Palo Alto or Cisco?
10. Does the MSSP integrate with industry standard Intrusion Detection or Prevention systems such as FireEye?
11. Does the MSSP have a web portal interface for their service that is customizable?
12. Does the MSSP have an app that can be used on a mobile device for ticket management and incident response?
Robert Scott
Robert J. Scott is the managing partner of technology law firm Scott & Scott, LLP, located in Southlake, Texas. He is on the board of the MSPAlliance. The firm specializes in IT transactions, software licensing, security, and privacy. Many managed service providers (MSPs) are clients of the firm.
For companies seeking to hire or evaluate Managed Security Service Providers, I suggest:
1. Ask Around: When it comes to managed security providers, you want to someone who understands your business, your industry, and the security challenges it presents. Ask your industry peers who they use and why. Talking with a reputable provider focused in your industry is the best place to start.
2. Get Clear: Managed security services come in many flavors. Use a requirements document or statement of work that very clearly details the services required. The clearer you can be about what you are looking for, the more successful the search.
3. Due Diligence: You need to be thorough in evaluating the technical capability of the MSP. Reviewing certifications from industry groups such as the MSP Alliance and evaluating the results of IT audits is a good start. Tour the facilities, ask the tough questions, and get it in writing.
4. Risk Balancing: Choose a vendor that is willing to carry its fair share of the risk if something goes wrong, Vendors that want to limit liability to fees paid for services should be avoided in favor of others that implement professional liability insurance and use contracts that allow you to benefit from the coverage.
5. Trust: When it comes to security, trust is critically important. If you're choosing from several qualified providers, go with the one you trust the most.
Ron Avignone
Ron Avignone is the Future Product Roadmap & Partnership Leader at Giva, a help desk/customer service/call center/knowledge management/change management cloud (SaaS) vendor.
We recommend the following 31 questions to help customers evaluate MSSPs:
1. After my company pays for your product, what if we become dissatisfied for any reason? Perhaps the product does not work as demonstrated or promised. What will you do, and what are our options?
2. What if better technology comes along after we purchase your product? Perhaps your company is not keeping up with evolving industry standard enhancements. Are we required to use your product through to the end of the term, or can we trade them in and receive a pro rata cash refund to purchase a product that meets our evolving needs, or can we terminate our contract? Are fees required for termination? What has the frequency been for launching new product releases over the last three years? Can we review the release notes?
3. How quickly can we be up and running on your product? Does it work out of the box? Will it take a week, a month, a quarter or six months or longer to deploy? Will you provide an implementation plan in writing and commit to it? Who will initially pay for set-up, customization and configuration costs? Who will pay these costs on an ongoing basis? Do we need to learn a programming language to administer and customize your product? If so, what is the approximate size of the developer community, and what is the average hourly rate?
4. Please prepare an estimated Total Cost of Ownership (TCO) of your product over four years. Consider all the acquisition and lifetime costs of ownership. Document all your assumptions; and we will provide you with our assumptions for the analysis, as needed. How does your product TCO compare with the other companies we are evaluating? Are training, set-up, customization, configuration, support, integration and any usage fees all included in this TCO?
5. What exactly is included in annual maintenance? Will we receive major releases or just bug fixes and minor enhancements? Can you please show us exactly where this is documented in your License Agreement?
6. Of course, we hope that we do not have to do this, but my company may want to cut costs in the future by not paying for annual maintenance. Our CFO is concerned about commitments for ongoing fees. Can we stop paying maintenance any time we want, but continue to use the licenses? Do we need a license key from you each year? What happens if we stop paying annual maintenance, and then we want to start paying again to obtain support? Do we have to back pay all the fees for maintenance we did not previously pay?
7. What is your roadmap for future product development? What product enhancements are you planning to make over the next 12 months? How can my company be assured that you will deliver on this roadmap? What are our options if you do not deliver?
8. If we have a support issue that requires some reconfiguration, does your company charge professional services fees for this work, or is it covered under routine support?
9. We will probably learn a lot about your product after using it for the first six months, or even a year. If we want to do additional customization and configuration work after the initial deployment is completed, does your company charge professional service fees for this work, or is it covered under routine support?
10. Does your company provide Respond and Resolve Service Level Agreements (SLAs) for support service requests that your company is committed by contract to meet? If so, how can we measure if your company is meeting or exceeding these SLAs? Can we terminate our contract if your company does not meet these support SLAs? Is there a clause in your contract to allow termination for material breach of support SLAs? How do I get support? Do I have to send an email, open a web request, or can I call your company and speak with a live person? What are your standard support hours? Do you offer extended support hours for evenings, weekends, and non-USA regions? Is there a fee for this?
11. Do you offer a Service level Agreement (SLA) for uptime? What is it? Is it included in the cost, or is there an additional charge for providing an SLA for uptime? Is there a financial penalty for downtime? How do we apply for credits? What is your history of uptime? Can I obtain a copy of the uptime Service Level Agreement to review?
12. Do you measure and monitor application responsiveness on an ongoing basis? Your service may not be down, but how do I know if it will be responsive and usable? Do you provide a Service Level Agreement for application responsiveness? If so, what is it?
13. Is your product architected as a Web-native application? Is it really a client/server application retrofitted with a Web interface?
14. Do you host your product at a commercial data center, or do you host on your own servers? If at a data center, is it SSAE-16 (formerly SAS-70), SysTrust and Trustwave PCI certified? Does the data center provide a managed service, or does your company rent a colocation cage with power and network access, but your company maintains all of the server infrastructure? Does your data center use a third-party security assessment firm to determine whether the data center meets Payment Card Industry Data Security Standard (PCI) and security requirements related to the protection of private and confidential data? Does your data center use a third-party security assessment firm for intrusion penetration testing and monitoring? With respect to your data center:
- How often do they perform back-ups? Is there a daily incremental back-up? Is there a full back-up at the end of the week?
- Is the back-up automated to assure that it happens without fail?
- Is the back-up to tape or disk?
- How long of a back-up history is maintained? 30 days of data on site and 60 days off-site for safe keeping? Are back-ups stored on-site or off-site at secured locations? Can the database be restored to a specific day and time?
- Is transportation to off-site locations secured?
- What is the data center disaster recovery plan?
- What happens if the data center power is knocked out? How many days can it stay powered on generator failover without refueling?
- Is the data center physically guarded 24 x 7 x 365?
- How is physical access to the data center protected?
- How is virtual access to the data center protected?
- Is there a hardware-based firewall that protects your data from the Internet?
- Are there Microsoft and Cisco Certified Network Engineers on site 24 x 7 x 365?
- How long would it take to recover from a complete server failure?
- Are there ample spare parts on-site?
- What level of data center redundancy is built in?
- What level of Internet access redundancy is built in?
- Does your data center have strategic partnerships with Microsoft, Oracle and Cisco to be among the first to receive important security information and updates? How fast are security patches applied?
- Is there virus protection on the servers?
15. As my company grows or experiences spikes in business, can additional licenses and disk storage space be quickly provided on-demand as necessary for peak times such as the holiday season, special promotions or major IT infrastructure upgrades at my company?
16. Can I get a copy of my company's data file at any time in an industry standard format, so it can be imported into another application? Is there a charge? Is it explicit in your contract that my company's data is owned by my company? How will our data be protected from a privacy and disaster recovery perspective?
17. Are there maintenance windows of downtime for routine server administration? When are they? Will the service always be unavailable during these windows or just sometimes? Will I get notifications when the service will be down during a maintenance window? How much advance notice?
18. What contract lengths do you offer, and what are the discounts that apply? Is there any flexibility in payment terms? What are renewal terms?
19. What is exactly included in annual maintenance? Will we receive major releases or just bug fixes and minor enhancements? Can you please show us exactly where this is documented in your license agreement?
20. Is a source code escrow service available? (This requires that the vendor place their source code in escrow, so that it is available if they are no longer in business.) Is there a fee for this?
21. Does the vendor ask you about your pain points? Are they interested in understanding your requirements, and will they prepare a demonstration of their capabilities based on these requirements at no cost or obligation?
22. What happens if our companies have a disagreement about roles and responsibilities? What is your dispute resolution process? Does it include an arbitration clause in your License Agreements, or will we have to pursue litigation as our only recourse? What is your track record with respect to litigation and customers? How many customers have sued your company, and what were the outcomes? Did these disputes go to court? How were they settled, and what were the details?
23. If my company wants to purchase optional modules and additional licenses in the future, will you lock in the price today so I can better estimate the Total Cost of Ownership of your product in the future?
24. What other modules are available today that we may use later? Will you guarantee in writing that these modules will be available in the future?
25. As we grow in using your product, can we set up independent service desks/databases within our company for different functional areas or departments? For example, could the Human Resources Department have their own service desk/database in your application that is private and segregated from other departments? Can this service desk share a single database of underlying users/customers so that this database does not have to be replicated multiple times? Are there additional costs for this capability?
26. What are your license options as my company grows? Today, we may purchase Named/Dedicated licenses; but as we grow, we may want to have people use the application on a part-time basis. What are all your license options? Can we share licenses across Asia, Europe and the USA so that we do not have to buy licenses for each geographic region, since they operate in different time zones with only minor overlap?
27. Do you have customer case studies that discuss business results that you have helped your customers achieve? Can I speak with these folks to learn firsthand of their experience using your product?
28. How will you obtain my company's evolving feature requirements after I become a customer? Will you regularly call me for feedback and consider our feedback into your development plans? Will we be able to open product enhancement suggestions in a database and see them tracked through implementation? Are there any charges for making product enhancement suggestions that are implemented?
29. Will I have an Account Manager that is compensated based upon retaining my company's business? Will I have one neck to squeeze, or will you make me navigate your company and seek out appropriate resources?
30. Will you provide a 30-day supported trial of your product without obligation?
31. How often will your company provide new feature and enhancement releases, and is this included in the annual maintenance fee?
Jeff Stollman
Jeff Stollman is a polymath who works in a wide range of disciplines including sensors, robotics, financial services, force protection, weapons demilitarization, non-lethal weapons systems, information technology, information security, and privacy. He currently holds patents in artificial intelligence, privacy, and financial services and has patents pending in financial services, information security, and non-lethal weapons.
Companies that are hiring or evaluating a Managed Security Service Provider should remember...
There is an important rule in hiring a Managed Security Service Provider (MSSP) that applies to all outsourcing: You can outsource execution, but you cannot outsource responsibility. The practical consequences of this rule are that you retain responsibility for personnel, technical scope, and incident response. Here are 10 quick guidelines to be considered in each of these areas:
PERSONNEL
While the MSSP will do the hiring of their own staff, this does not absolve you or responsibility for staffing. If you are victimized by a well-publicized security threat, pointing fingers at your MSSP won't salvage your company's reputation.
1. It is your responsibility to ensure that their hiring policies are sufficiently stringent to meet your own policies — if you were doing the work internally.
2. Further, it is your responsibility to ensure that the MSSP follows its own policies.
TECHNICAL SCOPE
MSSPs typically know their business. They will identify exactly what they will do and perform exactly what they say they will do. But they do not perform every duty that is required.
3. You must create a responsibilities matrix that enumerates all of the services you need performed for your business — regardless of who performs them. Model security frameworks that will enumerate security responsibilities are available online.
4. You must ensure that each of the service responsibilities that is not being performed by your MSSP is being performed in some other way — either internally or through a separate contract.
5. If there are holes between what your enterprise's skill levels can accomplish and what is not performed by the MSSP, it is up to you to either negotiate these additional services with the MSSP or find another solution to fill them.
INCIDENT RESPONSE
MSSPs stop many security breaches and provide alerts to security breaches that occur, but they are not responsible for incident response.
6. Develop an incident response plan for the various types of security incidents that can occur to your enterprise. Model plans can be found online.
7. Ensure that your MSSP is contractually obliged to provide you with the information you need to execute your incident response plan.
8. Ensure that the information you require is provided in a timely fashion that is specified in your contract.
9. Ensure that you have the staff to receive, review, and trigger incident response, should a security breach occur.
10. Ensure that you have the executive buy-in to execute the incident response plan.
Jason Greater
Jason Greater, Founder and CEO of Solvusoft, is a security expert with 15 years experience working with application and network security for different clients. He has written custom adaptors for systems like ArcSight SEIM and led the implementation of security monitoring projects. He also writes extensively on hacking.
My top tips for hiring and evaluating Managed Security Service Providers include...
When Target was hacked in 2014 and lost 40 million credit cards, the signs were there. Various intrusion detection devices raised alerts. The problem was no one was paying attention. This means security systems can work, but only if properly staffed and with the right people and equipment.
Your company should not be responsible for its own application and network security. The threats are changing too fast to be trusted to anyone except someone who works with that every day. So your security be should be handed over to a Managed Security Services Provider (MSSP).
What does this mean and who should you pick?
When you sign up with an MSSP, you:
- Direct your internet traffic to the MSSP. They then become your front line of defense against any hacking attempts. They use different security software and appliances and trained personnel to monitor your network and applications for intrusion detection.
- Optionally, configure some subnets on your network to the MSSP.
- You can also configure your logs to go to their SIEM (security information event management) system so the MSSP can monitor those and look for hacking events.
- Optionally, they will write an audit plan for you and conduct annual audits.
- Optionally, they will be ready to step in to do forensics to help you when you have been hacked.
- Optionally, they can provide security awareness training for your employees.
To use the terminology currently in vogue, you could say this is a cloud relationship.
Some companies will offer to operate your own security equipment remotely from their office. Do not do that. Their entire system should be the same for all their clients. Standardization brings best practices to everyone.
The following are characteristics that make a great MSSP:
- They send their employees to certification, this shows a company that is investing in their people.
- They have application and networking security professional; those are two distinct skill sets.
- They write a blog on security, showing they are studying current attacks.
- They are large enough so that they will not go out of business, but small enough to dedicate some people to your account. Your system will vary slightly from other companies, so you need someone who is familiar with your setup.
- They have a SOC.
- They can demonstrate that they are continually replacing new technology with even newer technology, as this field is constantly changing.
Eric Watkins
Eric Watkins is the co-founder and general manager of Infinity Technologies. He is also a Senior IT Support Consultant and Business Advisor with over 15 years of experience in the industry.
Before hiring a managed security provider, there are a few questions you should ask the company, including...
1. How long have they been in business? Knowing how long the company has been in business can give you a good idea of their experience level. You want to be sure you're working with an established company that has a good reputation in the industry.
2. What are their service offerings? Does the provider specialize in just one thing, or can they monitor and manage all of your security needs? If the provider specializes in just one service, you may need to hire different companies — one to handle your router, one to handle your email, and so on. This can become a problem when you have an issue you need resolved. Will you be able to resolve a spam issue in one phone call, or will you have to call each of your providers to find where the problem lies?
3. What is their capacity? Will the provider be able to respond to your issue right away, or will you be stuck with an outage for hours? You want a company who will tackle your issues as they arise, not put it on the back burner.
4. Do they outsource? If you call to ask a question or report a problem, are you going to be talking to someone who actually works for the company? Often times, providers outsource their help desk. It's generally better to talk to someone who actually works for the company so you can get your question answered and your issue resolved as quickly as possible.
5. What sort of reporting do they provide? Will you be getting any analytics each month? A monthly report gives you a good look at the actions that were taken the previous month: how many scans happened, how many threats were protected against, etc. It's important your managed security provider can show you exactly how they are handling your security with analytics.
