Choosing the right Managed Security Service Provider (MSSP) can be a big decision for any business looking to secure itself. Find out how Security Professionals and Business Leaders alike evaluate and hire the right MSSP!
Hiring a managed security service provider (MSSP) is a significant expense, but one that’s well worth the investment if you hire the right vendor. For many businesses, the cost of hiring an MSSP is less than the substantial costs that could result from a data breach, such as incident response and recovery, possible regulatory fines and penalties, business interruption, and loss of consumer trust.
Some companies hire an MSSP to manage specific security initiatives, while others outsource their company’s security entirely to an MSSP. A managed security service provider is a valuable option for companies that lack the in-house resources to effectively manage security, as well as companies that face challenges recruiting security talent with the skills they need to oversee the protection of their business’s sensitive data.
MSSPs can handle IT services, perform regular data backups, manage network security, provide security monitoring and incident response services, and more. While many MSSPs offer a similar set of services, not every MSSP is a good fit for every business. Some have extensive experience serving clients in specific industries, giving them greater insight into the unique security requirements for companies with regulatory compliance needs (such as SOC 2, HIPAA, or PCI DSS) or those that handle certain types of sensitive data.
With many managed security service providers to choose from, evaluating and hiring the right MSSP for your business can seem overwhelming. To learn more about the important questions to ask and other essential considerations, we reached out to a panel of security professionals and business leaders and asked them to answer this question:
Read on to learn what our experts had to say about their top tips for evaluating and hiring a managed security service provider.
Thierry is a CEO & Founder of Kohezion, the only true no-code, online database software. Since 2012, Kohezion has been turning data chaos into order for thousands of customers.
"Look for a partner that has a holistic outlook on how they are going to protect you…"
A good MSSP will not only be looking at your anti-virus, firewall, and patching but also will ensure that they are capable of implementing a transformational security change to create a comprehensive outlook on protecting your business.
That outlook considers the following factors:
A good MSSP has experts in more than one area of digital protection. If they do not, then they are not right for you.
Do not hire an MSSP based solely on costs because it will not provide you with the right protection. Many organizations think that they are MSSPs, but they do not have the capability and expertise to protect your business.
Dr. Al Marcella, CISA, CISM is the President of Business Automation Consultants, (BAC) LLC, located in St. Louis, Missouri, with experience in IT audit, risk management, IT security, and assessing internal controls. Dr. Marcella has authored numerous articles and 28 books on various IT, audit, and security related subjects.
"My number one tip for evaluating MSSPs is to…"
request and require a copy of the third-party’s latest information technology (IT) risk assessment.
Use this to find out what IT operating risks have been identified, and what has the provider done to mitigate these risks? If the third-party is operating with unidentified, uncontrolled risks, what does that mean for the overall security of the client’s network? If risks have been identified and have not been addressed, what does this say about the service provider’s commitment to protecting not only its environment but the client’s as well?
If the date on the risk assessment report is “aged” (more than nine to 12 months), it may no longer be relevant. This speaks to the vendor’s proactive ability to address changing technological risks within their operating environment, or the lack thereof.
If the service provider gives a puzzled look or balks and does not (or cannot) provide a current IT risk assessment, there could be significant problems. Seriously question the provider’s ability to provide the services required, at the heightened level of security that is essential for the organization’s network.
Maybe it is not an unauthorized access attempt or a penetration attempt, etc. However, a failure in the ability of the third-party to sustain ongoing operations would certainly have a direct impact on a client’s network availability and reliability.
The risk assessment, if fully and properly conducted, would address, among many issues, the provider’s business resiliency capabilities. If the service provider experiences an event that affects or incapacitates its operation, preventing the provider from regaining operations immediately (or in a timely manner), what will be the impact on client IT operations and end users?
Evaluating and hiring a managed security service provider? Obtain and evaluate the vendor’s current IT risk assessment report.
Bob Herman is the Co-Founder and President of IT Tropolis. He is an engineer with over thirty years of professional working experience. His areas of expertise include managed IT services, data protection, cybersecurity, cloud computing, technology implementations, project management, IT operations, business continuity, network topology, and virtualization technologies.
"When evaluating MSSPs, always ensure they have…"
SIEM software running at a minimum, and that they have staff monitoring and responding to alerts.
MSSPs should proactively address issues, not wait for the customer to contact them with an issue. In addition, a good MSSP should confirm that you have a managed backup and disaster recovery system in place for all your critical data, offering a data protection service in addition to security services.
Peter Smythe is the Founder of WePrivacy.
"My number one tip is one of the best metrics one can use to evaluate a managed security service provider…"
It's none other than how many hacks and bug bounties they have successfully carried out.
The reason for this is simple. Most awards and accolades have very little to do with companies' technical capabilities. Customer reviews are also subjective, and if you're hiring a security service provider you probably won't truly know if they are doing a good job or not. However, the number of hacks they have carried out is not something that can be faked, and it shows the true technical knowledge and capabilities of a company. Luckily, there are plenty of hacking conferences (e.g., DefCon) and bug bounties available online that allow companies to showcase their talents. For example, Apple now offers $1.5 million to the person who finds the most serious security flaw.
The better a person understands a system's weaknesses, the better they are at protecting it. That’s why I think hacking capabilities is the number one factor to look out for.
Aaron Simmons is the founder of Test Prep Genie. He believes in studying smart rather than studying hard to be successful. On this blog, Aaron shares tips and tricks on how to develop smarter study habits. Readers learn how to test prep the right way, ace any exam, and become one step closer to their educational or professional goals.
"My best tip for evaluating and hiring a managed security service provider (MSSP) is to…"
Check the company’s references.
Ask for a couple of references from the potential MSSP. One of the important references that you must have is the business owner’s contact information. Ask frank questions, as engaging with a potential MSSP is a significant expense and will hopefully be a long-term relationship.
To evaluate, you need to know whether the MSSP has experience in your particular field. An MSSP that specializes in logistics may not be a good fit for health care services. This kind of situation must be avoided, so it is best to communicate.
Bonus tip: When contracting the services of a potential MSSP, you need to approach negotiations as a partnership. This creates mutual benefits, service level agreements, measurable deliverables, and dispute resolution mechanisms. Well-detailed information and a clear understanding of your agreement are also a must.
Bottom line: To consider MSSP arrangements, the above approach must bear in mind. Mandate meetings or calls to discuss upcoming projects, performance, and issues.
Manny Hernandez is a self-made entrepreneur, CEO, and co-Founder of Omni Inc. He is a consummate marketer and information technology professional with over ten years of experience in the fast-evolving arena of direct response marketing. He loves to travel and enjoy the freedom that working online provides.
"The major key to evaluating an MSSP is to first codify your requirements…"
For example: Do you need them to simply watch alerts during off-hours when your own staff is not available? Do you need advanced skills or experience that your team does not currently have? Is your company part of a vertical that may have specific requirements? These are different requirements that do not simply help you decide who might be better; they may completely remove a vendor from the selection process.
Many MSSPs will simply offer lower-end, semi-skilled labor to monitor events. They add little to no value on top of this; they are simply a body shop offering economies of scale. If that is your need, then great, you have found a match! Many companies, however, are looking for advanced cyber skills they may not be able to attract in full time staff, or their market vertical may have specific needs. If you have an outbreak, do you need forensics work or do you simply want to wipe the machine and hope for the best? These detailed needs must be verified with the MSSP.
Christopher Gerg is the CISO and Vice President of Cyber Risk Management at Tetra Defense. He's a technical lead with over 15 years of information security experience, dealing with challenges of information security in the cloud-based hosting, DevOps, managed security services, e-commerce, healthcare, and financial and payment card industries.
"The first thing I want to know is how mature their own information security program is…"
This is often overlooked, but think about it: You're giving this organization access to sensitive data and information at a minimum and giving them administrator-level access to critical systems and data in most cases. A breach in their environment can quickly become a breach in yours! We see this all too often with managed service providers’ customers getting hit with ransomware because their MSSP was hit – and the attackers just move from environment to environment.
Ask about their authentication and authorization mechanisms. Ask about how they maintain their systems and services. Ask them about their development practices. Negotiate a right to audit for very high-risk services so that you can go on-site and inspect things yourself (or a trusted advisor can as your agent). This is all assuming that the service they are providing does not increase the administrative burden on my IT staff, and actually does what it says it does.
Heinrich is a Privacy Expert at Restore Privacy.
"The most important thing is to get a solid recommendation…"
Don’t just go off of online reviews or things you’ve heard. Don’t rely on what the provider claims or says, either. I’ve heard horror stories of companies hiring providers with good reviews that turned out to be ineffective and ultimately put the companies at risk. I’m not going to name and shame, but be very cautious. I’d reach out to peers or other major players in your industry and see what provider they’re using successfully. Your absolute best bet is to go with a vendor that’s vetted and tested. It’s the only way to ensure that you are getting the best security available. Why risk it when someone else can help you out?
Skyler is the President and CEO of Ardent Growth. He is an advocate for small business owners, passionate about education, and an Iraq war veteran. Skyler graduated with honors from MSU’s Computer Science and Philosophy programs.
"Check customer references, especially those who are in the same industry…"
You'll get honest feedback from these business owners who can assess the services of an MSSP. Look into the reputation of an MSSP by considering their past and current customers. Ask them about the professionalism of the service provider, customer support assistance, cost-saving packages, and priority given, considering that they can service multiple business clients at once.
Maksym Babych, MBA, Ph.D. candidate, is the CEO at SpdLoad.
"Finding the right managed security service provider is just as important as finding the right staff for your business…"
In order to provide exceptional value, a provider must first understand their customer’s business model. This helps providers develop a rock solid solution that can create a long lasting, happy customer. Before a provider can recommend solutions, they must first ask about the customer’s business and make sure they have a clear understanding of what the customer needs. Without this critical information, the solution is just a sale and they are setting themselves, and more importantly the customer, up for future problems.
Hamna Amjad is a Tech Expert at Printer Graphics.
"Here are the top two factors that you should consider for hiring a managed security service provider…"
Israel Gaudette is the Founder of Link Tracker Pro, one of Canada’s fastest-growing SaaS companies.
"Verify your MSSP’s security practices…"
The deciding factor should be the reputation they have and the effectiveness of their strategy around security. A security breach happened once in my company, but I was never worried because I know I have a reputable MSSP team in place. Now, the question is how did I know that they are reputable? Simple: I conduct in-depth conversations with their long-term clients to see how they perform and if they have a proven track record. Knowing what to probe is the key. I make sure that I have a thorough understanding of how they will steer down the risks. They should always be keeping up with the current risks and remain updated with the expertise they’re offering. I make sure to have a grasp on all the factors involving it. And once they present a concise action plan on every possible risk, then they’re perfect for the job.
Generally, putting your business’s security posture and sensitive data in the hands of a complete stranger is a very crucial decision to make. However, this stranger can be your absolute protector if chosen diligently and wisely. When it comes to evaluating and hiring an MSSP, always remember to never base it solely on cost. A proven track record should always be a top priority.
Amara Ukaigwe is the CEO of Book Learn Pass, a platform providing driver training resources.
"My number one tip when evaluating and hiring a managed security service provider is to…"
Choose a provider that can not only identify vulnerabilities in your business but also help train employees in your business on how to meet their individual compliance requirements. The best service providers should be able to do both of these things. Opt for a service provider that provides easy to understand reports, training material, and additional information that you can use to create compliance policies and frameworks within your business.
Paul is the founding Director of Intrinsic Executive Search. He has headhunted for many hundreds of software companies ranging from large corporations, to mid-caps, to VC-backed startups. Paul also mentors and supports several startup software companies. Outside of work, Paul is interested in all matters nautical and sails whenever he can.
"Bringing an MSSP on board is a significant expense, and the one thing I look at when considering such a service is…"
The provider’s vertical-specific experience. Sure, the IT infrastructure required in the marketing or healthcare industry would work just fine in the recruiting and HR management sector, but each of these industries has lingo that is very unique to them. As someone who is in the recruitment sector, I want an MSSP that has people in its ranks that have solid experience with managing digital security in this particular sector.
It also helps to find out about the provider’s reputation to ensure that they do have the expertise they claim to have. A reputable MSSP should be able to offer more than the basic security services. They should have a track record of implementing security solutions that are customized to the needs of the business.
Mr. Dumi has been with eMazzanti for 12 years, previously serving as Senior Network Architect and Team Lead. He holds numerous certifications, including ITIL IT Service Management, PCI-QIR, WatchGuard Certified System Professional, Lean Six Sigma, and several Microsoft Professional certifications.
"My number one tip for evaluating and hiring a managed security service provider is…"
Any company can paint a stellar picture on their website. Take time to look under the hood before you commit. Ask for case studies and reference sites. Do the executives supplying MSSP services have a proven record in the industry? Do the technicians have the certifications and experience they need to inspire your trust? Has the provider won key industry awards?
Stephen Wright is the CEO at Wright Business Technologies, Inc.
"Besides protecting your IT environment, your MSSP must have…"
The tools and knowledge to help you comply with all applicable privacy and security laws.
The MSSP must know what laws are applicable to your business based on your region, and the provider should offer functionality such as asset discovery, vulnerability assessment, intrusion detection, and log management. The MSSP should also have the ability to integrate data from legacy security tools to ensure compliance.
Janet Patterson is a VP of Marketing Communications for Highway Title Loans and the feature editor of its Lending Blog.
"MSSPs or managed security service providers are now being hired by companies to…"
Address specific security initiatives, or in some cases, companies are outsourcing their entire security program to an MSSP. Companies with limited resources or those that want a security program immediately can benefit from this option, as they would lack internal security expertise.
However, there is a lot to consider when hiring a managed security service provider. After all, you're placing your company's security posture and most sensitive data in the hands of a third-party provider.
One important tip is to start by clarifying your requirements. You need to see if the MSSP is working to understand your requirements or not. If you don't bridge this gap in the beginning, then your MSSP is only there for the sale and will only cause you problems in the future. It is essential to find common ground in the beginning and build your relationship based on it. If you think your MSSP understands your requirements well, then you have found yourself a good match.
Bradley Stevens is the Founder and CEO at LLC Formations.
"My number one tip for evaluating and hiring a managed security service provider is to…"
Take notes of the technologies being offered and who will be delivering and installing them. Being your MSSP, it is their responsibility to look into every single thing.
To be sure of the technology and their quality, take notes of them and then do some research online to confirm that what has been offered to you is the best-of-breed solution. Quite a number of vendors and resellers can and will try to create unnecessary complexities and even introduce security vulnerabilities in your environment. However, an expert MSSP will have professional staff who will take you through the entire process, even the security provision, for your satisfaction. These experts will come with a range of certifications that include CISSP, CISM, CCSK, CSCS, CIPT, and Security+.
Sandra Matthews is a Marketing Specialist at The Product Analyst.
"One of the most overlooked factors to consider when evaluating a managed security service provider is…"
Their credibility not only as a firm but how their previous and present clients see them.
Will anyone be willing to vouch for them and their service?
Engaging with an MSSP isn't done in a snap, as it entails a deep relationship which can only be nurtured with a positive experience and sustained trust. Do not be afraid to ask around and get referrals or ask them for references. An efficient MSSP won't second guess in giving you a list and will be confident whether you do the hard work of actually asking before getting into the partnership.
Ask for copies of audits, evaluations, and files to prove that they have a good track record in accomplishing their deliverables. Be transparent so that you can ask for transparency in return. Hiring an MSSP is not an easy negotiation but being able to ask and gather rightful information will help you a lot in deciding which MSSP you should choose.
Pieter VanIperen is a former SVP – Global Head of Cloud Security at a major media conglomerate and a Cloud and Security Consultant for a national consumer insurance company, national bank, and others. Most recently as the Founder and Managing Partner of PWV Consultants, Pieter leads a boutique group of industry leaders and influencers from the digital tech, security, and design industries.
"Choosing a managed security service provider is an incredibly important decision…"
While the idea is cost-savings and trusting that an expert has your back, entrusting your security to a third party can be scary. The best thing to do when looking for an MSSP is to see how they compare to other providers. Most importantly focus on whether they themselves or other clients have had breaches? Have them walk through how they detect breaches and react to them, and what you can expect if you face one.
The bottom line is that the company you choose is going to be entrusted with the security of your business to not just prevent breaches but also to stand by you through one on your worst day.
Haris is the founder of the world's largest menu/pricing aggregator website, Pricelisto.com.
"Ensure that the managed security service provider can…"
Explain in detail what that organization can expect for the money they invest.
They should be able to describe their certifications and experience dealing with the constantly evolving landscape of IT security. They should be able to provide an in-depth track record of how they have managed similar security threats for similar companies.
Ruben Ugarte is the Founder of Practico Analytics.
"I expect all MSSPs to offer similar things…"
Technical features, security guarantees, and good customer service. I'm interested in knowing one thing: how they handled a recent data breach with one of their clients. This tells me how they will perform under pressure and make tough choices.
Zeguro is a cyber safety solution and insurance provider for small to mid-sized businesses (SMBs), offering a comprehensive suite of tools for risk mitigation and compliance, as well as insurance premiums that are tailored to the size, sector and profile of a company.
Learn more →
Get a 30-day trial of our holistic risk management solution for SMBs. Secure your organization through employee security training, web vulnerability scanning, and security policy management.Start My Trial
Digital Marketing Manager
Enthusiastic and passionate cybersecurity marketer. Short-story writer. Lover of karaoke.