There is no shortage of spend or need on security services. Gartner has recently predicted that worldwide spend on security products and services will reach $124 billion in 2019. This coupled with a security skills shortage and changing regulatory and compliance regulations – such as the General Data Protection Regulation (GDPR) Act – that put a further strain on internal resources have companies turning to managed security services for part or all of their security needs. But how do you know if a managed security services provider is the right one for your organization? We’ve put together a list of the top five questions and criteria that security services providers should be able to answer and meet.
Do They Provide Continuous Monitoring?
Most Managed Security Services Providers (MSSPs) tout their “always on,” 24 x 7 x 365 monitoring policies. However, make sure you clarify that this applies to all levels of their managed services offerings and not just a “premium” level that you may or may not subscribe to, for example. Further, if there is an incident what is the exact plan to communicate the details as well as investigate and respond?
What Kind of Reports and Insights Will Your MSSP Provide and How Often?
Every event is not an alert and every alert is not an incident. While your MSSP is providing details on incidents, helping you detect, investigate and respond, it is also important to get a view of the events and alerts happening in your environment. Ask your MSSP what type of insights and reports they will provide your organization on a regular basis. These reports can help you with reporting on regulatory and compliance requirements. Additionally, they can help you with rationalization regarding security controls to put in place before events become alerts and alerts become incidents. Ask for customization as needed, as you want to make sure the reports are intuitive and reduce the amount of time you spend on reporting of compliance and regulatory requirements.
Do you support hybrid security infrastructure?
Organizations are slowly but surely moving more applications and services to the cloud but approximately 85 percent of the infrastructure, depending on the industry, is a mix of proprietary or existing on-premises security solutions. MSSPs should be able to protect and monitor a vast array of infrastructure, either public or private, but some do specialize in certain vendors, or cloud versus not, and may not be comprehensive. This can add in unnecessary costs and vulnerabilities as you shift existing infrastructure to the cloud or keep it on-premises. Be sure your MSSP can monitor all of your existing security needs even if you have plans to move in the future.
What’s Your Shared Security Responsibility Model?
When outsourcing anything you need to ask – exactly what pieces are you responsible for? And what piece am I responsible for? This applies to childcare (yes the child of course, but also laundry, cooking, cleaning?) Lawn mowing (just the drive way or the front path too?) You get the gist. Make sure you have a clear delineation between what your organization is responsible for in terms of security and your MSSP – leaving no wiggle room because as noted above the cost of an attack is no small matter. There is also, of course, the matter of the security vendors and what they are responsible for as well. We have outlined in our blog here how the shared security responsibility model can be broken down.
Who do you partner with?
It might seem like a no brainer – you hire the MSSP and they take care of everything themselves, right? Well, not so fast. Some MSSPs depend on third party tools themselves to help take care of the overarching security infrastructure. This is definitely an acceptable practice – and even works to your advantage because you’re now receiving managed services and best of breed tools to monitor it all, like Trend Micro or Barracuda, who we work with – but just make sure you know this up front so any finger pointing can’t occur in the back end.