Share and earn Cybytes
Facebook Twitter LinkedIn Email

If you are a business leader who has been tasked with fortifying and safeguarding your organization’s IT security posture, you know there are many factors that will drive the decision of working with a managed security services provider (MSSP).

A few questions to consider are:

What happens once you arrive at the conclusion that you require the services of an MSSP? How do you determine exactly how you want to leverage their expertise? How do you ensure that you select the right partner?

Why These Questions Matter

These are important questions to answer, since the involvement of a third party – especially one tasked with overseeing or supporting IT security – has the potential to expose your organization to an additional layer of risk.

Webinar: It Is Time to Rethink Your Cyber Security Metrics

For example, an MSSP will need to have access to a wide variety of different pieces of confidential information – from your network infrastructure down to the individual pieces of data it contains. The liability alone from mishandling such assets can bury a company, making the validation of a potential partner a crucial step.

In addition, partnering with an MSSP will more often than not require clearance or permission from other stakeholders.

What to Look for in an MSSP

While the specific parameters of what you desire from an MSSP will be unique to the needs of your organization, there are a few minimum requirements all well-established MSSPs should be able to meet.

They should be able to provide positive references as a validator of their quality of service and expertise. Experience is king, when it comes to finding the right MSSP. Certifications alone do not replace experience in a live environment.In keeping with the theme of experience, they should have worked with companies of similar size or maturity, or even within the same industry.They should have defined standards, policies and procedures. This will enable them to demonstrate a starting point based on expertise, from which they can tailor their services to your organizational needs.There should be a documented service level agreement (SLA) or statement of work (SOW) in place, and they should have a template for the creation of such a document. Hesitation to present an SLA or SOW should be a significant red flag; there is no room for ambiguity in the realm of network security.You should know who your points of contact are, as well as who owns your account. There should not be a guessing game of who to contact when you require assistance.They should have clearly defined milestones and deliverables. Great MSSPs should have a roadmap for typical customers that involves different phases, such as discovery, rolling out core changes, review, modification, etc. The best MSSP candidates will schedule dedicated time to the feedback loop that ensures the continued alignment of their services as time goes by.They should also have documentation around an exit strategy, should you decide you wish to terminate the relationship, as well as how to renew their services at the end of a predetermined timeframe.

It is worth noting at this point that it may be tempting to wait and see what your MSSP will need from you, once you bring them on. That said, you will more effectively enable their success with a bit of anticipatory internal preparation ahead of their onboarding.

For instance, instead of waiting for a partner to request access to different systems, you could have that information prepared in advance of their arrival, so they can hit the ground running.

Final Thought

At the end of the day, determining the right IT security partner requires a great deal of introspection – what are your goals, both in the short-term and long-term? Though an MSSP may have glowing references and documented best practices, having a clear understanding of your own organizational needs will help you better align their roadmap to yours.

That is often the key difference between finding an MSSP that works well for you today, and one that will be the right choice in the long run. The more your current status and goals pair with their capabilities and roadmap, the more value you both will realize in the years to come.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About FourV Systems
FourV is dedicating to improving the operational performance of IT security programs by empowering leadership to make decisions instead of spending time analyzing data.
Promoted Content
Cyber Security Translation Guide for CISOs
Communicating the Benefits of an IT Security Investment Can Be a Challenge As a chief information security officer (CISO), you know how important it is to invest in the appropriate IT infrastructure in order to keep your business and its assets safe. The difficulty, however, is often communicating the urgency and importance of those investments in a way that resonates with other stakeholders in your organization. This free on-page guide will teach you how to best position your messaging when speaking to non technical leadership.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?