How to Evaluate a Managed Security Services Provider (MSSP)

On average, cyberattacks cost companies around $200,000.¹ That figure includes direct losses, costs for responding to the attack, and associated costs for performing crisis management with clients.

Whether your company lacks the resources to manage your unique security and compliance needs, or you don’t have the tools and time to address your requirements, a managed security services provider (MSSP) could be the solution. However, simply hiring a security services provider isn’t enough. Choosing the right MSSP for the job can be the difference between protecting your company’s assets and capturing value and a return on your investments or putting your data, systems, employees, and customers at risk.

If you’re ready to take your company’s security to the next level – or looking to capture greater value and return on investment from your existing MSSP – keep reading to gain insights and best practices for evaluating and selecting an MSSP.

1. Check That the MSSP Will Meet Basic Requirements 

The first step in choosing a managed security services provider is evaluating their ability to meet or exceed your functional business, technology, financial, legal, reporting, and service level requirements. At this stage, you’ll want to discover more about how the provider operates, what their capabilities and services are, what service levels they guarantee, and how they deliver managed detection, response, and other cybersecurity-related services. 

While making sure your functional requirements are being met is important, your first few interactions with the MSSP can help narrow your choices so you invest time with the right type of provider that will address your needs – while adding superior value to your security and IT department and organization.

Spotting the Difference Between Value-Focused Partners vs. Transactional Vendors

Many service providers are considered “transactional vendors.” Their services or solutions are typically commoditized and sold as a one-size-fits-all with no customizations or modifications to fit the unique requirements of the customer. These solutions are typically sold by the provider that demos the features and functions of the solution to the prospect – covering a wide variety of functionality – just hoping some of the features and functions resonate with the prospect so the prospect will ask for a quote. Basically, these vendors are simply pitching a solution and hoping the solution’s features addressed a need that the prospect has.  

This is a transactional way of approaching the market and often creates confusion for the prospect as the prospect is now responsible for connecting the dots between the solution being proposed and how that solution addresses their unique needs and requirements.

Value-focused partners take a different approach. They initially engage customers using a discovery process with the prospect to understand and document the unique requirements, needs, and expectations of the prospect. Once they complete the discovery conversations, the value-focused partner creates a customized solution for dealing with a prospect’s unique needs and requirements. They then schedule a working session with the prospect to get their input into the solution in order to ensure that the solution being proposed will address the prospect’s unique needs, requirements, and expectations. This approach also empowers the prospect and provides them the opportunity to influence the components of the solution. They also then have the chance to complete additional research and ask questions about the solution and services being proposed so they fully understand the solution, services, and the expected value and impact the solution will have on their team and organization.

This approach is more time consuming and intensive for both the prospect and the value-focused partner. However, that investment ensures that a company’s security needs and requirements are being met, and the prospect can accelerate the value and create a return on investment from the solution and service being delivered.

Ask About Their Operations, Metrics, and Performance

Many MSSPs will offer promises and showcase statistics about their previous success such as how many customers, certifications, and locations they have, as well as how many alerts, events, and threats they are dealing with daily, weekly, monthly or annually on behalf of their customers. These are common statistics or pieces of information that MSSPs use in their marketing and sales presentations. But those figures mean little if they aren’t backed by examples of how the MSSP is deflecting threats, removing vulnerabilities, and protecting clients from cyber threats and attacks. You need examples to know how exactly the MSSP is reducing the risk, cost, and time associated with performing managed security services on behalf of their customers.

2. Screen for Important Criteria

Once you’ve ensured that a security provider can meet your company’s basic and critical requirements, the next step is to screen for other important operational criteria. This includes criteria beyond technical or engineering tasks and includes communication, metrics, and performance ratios. 

When it comes to evaluating and selecting a vendor that you will trust with defending and protecting your company, clients, systems, applications, and data, transparency is the key. Your ability to gain visibility into how the MSSP operates, what their current levels of operational effectiveness and performance are, and what KPI and metrics will be reported will help you to understand which MSSPs are value-focused partners versus transactional vendors. MSSPs that share this level of information around operational metrics and performance should also track, report, and share information on how the client’s team is performing, responding, and operating in conjunction with the MSSP’s team. This is the next level of value and visibility that CIOs and CISOs are looking for.

Prioritize Honest, Transparent Communication

Trust is the foundation of any healthy personal and business relationship. Therefore, one of the most important criteria that should be included within your evaluation and selection process is if the MSSP is providing open, honest, and transparent communication and feedback.

Sometimes this is difficult to ascertain in the evaluation and selection process, but know that if you are working with a value-focused partner, that organization will behave collaboratively. They will be open, candid, and may provide feedback and input about your organization, approach, and team that may challenge your current thinking. This is not a bad thing if it is done in a collegial and productive manner as it demonstrates that the MSSP is looking out for your best interest.

A company may be equipped with the security engineering and analyst skills, operational strategies, and the latest technology to detect, respond, and manage threats, but if they aren’t:

• Communicating and collaborating with you
• Being responsive to your requests or needs
• Proactively addressing problems in a timely manner
• Or reporting back on performance

then the relationship between your company and the MSSP will more than likely be strained, and you will not receive the value that you deserve or expect.

3. Demand the Value 

While most companies realize the danger of opting for the least-expensive managed security option, it’s just as important to understand that a higher price tag doesn’t necessarily mean higher value. 

Once you’ve ensured an MSSP can meet your company’s technical, business, and security requirements and that they fit the criteria you are looking for, it’s time to weigh the value of their services against the investment. At this stage, it’s a good idea to look at additional value-added services that the MSSP is providing that will help your company in the long-term while accelerating the value and return on investment of the solution in the short term. Consider: how does the solution and service being offered accelerate the development or maturity of a security and compliance program or the evolution of your internal team’s capabilities? 

For instance, ongoing SIEM tuning and management will help you to alleviate time-consuming, distracting, non-security related event alerts while security orchestration automation and response helps to automate engineering tasks that will prevent attacks and threats from advancing within your environment. These capabilities help streamline security and IT operations – allowing your MSSP and internal teams to focus on responding to real threats or remediating security events. Value-focused partners will also provide you access to proprietary security threat intelligence and feeds, security and compliance checklists and best practices, and NIST-based playbooks and assets that your organization can leverage to optimize or evolve your security program, capabilities, and posture.

Choosing the Right Managed Security Services Provider

Choosing the right MSSP will help you optimize your organization’s cybersecurity and will generate superior value from your security investments. 

If you’re looking for a value-focused partner that provides a fully managed security service offering actionable threat intelligence with a human touch, Vertek can help.

Contact us today to schedule a confidential consultation with a cybersecurity expert.

Sources:

1. https://www.cnbc.com/2019/10/13/cyberattacks-cost-small-companies-200k-putting-many-out-of-business.html