When you decide to find a Managed Security Services Provider (MSSP) which will meet your technological needs and business requirements, the most important thing is to develop a list of criteria to make a proper selection. MSSPs come to stay with you for a long period of time so you should better minimize the number of known unknowns to avoid risks and build successful partnership.
To find a good fit among various MSSPs pay attention to the following:
References
Customer references will always be the ultimate measure for B2B solutions and services providers. The easiest way is to check whether online reviews of the company in question are available for you. Go to Clutch, GoodFirms, etc or at least use Google and you will definitely find enough pro (or contra) information.
Such references can give you rather realistic idea of how relations with MSSP will develop. In addition, there is always a chance to find some secondary technical or business details which might prove to be valuable exactly for you.
The more sources offer references about your potential partner the better it is for you.
Internal Security
As we all know by now, even cybersecurity companies have no guarantee against cyber attacks. Attacking cybersecurity vendor or service provider may open backdoors to IT assets of dozens and hundreds of their customers. So, a mandatory requirement to every cybersecurity company, including but not limited to MSSPs, is that they have an extremely reliable internal cybersecurity program.
Just get clear and concise answers from MSSP to such questions as where your data will be stored, what kind of encryption is used and what backup and restore policy/solutions are used by MSSP itself and for its customers. As you are going to have nearly the same level of security for your data with this provider.
When MSSP has respective certification, such as ISO 27001, is a very good sign. However, as a rule, they are not mandatory for MSSPs and quite expensive to get. For these reasons they are usually obtained by large MSSPs, but not mid-sized or small. With smaller MSSPs you should first check personal certificates of employees.
Certifications
Once again, MSSPs can have or can have no certifications from ISO or vendors. If they have, that’s great, but do not forget to check their authenticity at websites of issuing bodies. Just to make sure :).
This is a rare occasion that some unscrupulous group of people calling themselves MSSP will forge such certificates. Still, there is sense in going to vendors’ sites and checking existence of the partnership status in question.
As far as vendor partnership suggest partner agreements with certain obligations as to selling, MSSP will not necessarily have such statuses. Their managed security provision platforms for surely will be based on solutions and products by some vendors. But MSSP can very well just use them, not sell, as partnership suggests. How will you check credibility of MSSP in such a case? Again, go for personal certificates. All-in-all, it is the MSSP team that guarantees your security, and not simply a set of cybersecurity solutions.
Flexibility
MSSP will have its cybersecurity services platform based on carefully selected and integrated solutions. In most cases the customers will also have their cybersecurity solutions. Sometimes, MSSP might accept your solutions and integrate them into managed security services delivery process. This might simplify transition to partnership for you and increase ROI of your cybersecurity program.
In most cases it will be a preferred scenario for you as a customer, yet MSSP might decline your existing cybersecurity infrastructure because it is outdated compared to its platform, or its platform is perfectly sufficient for selected package of services and MSSP doesn’t want additional efforts (and expenses for both of you). Sometimes, MSSP will suggest an alternative to cybersecurity solutions currently used by you. Anyway, if you already have implemented cybersecurity infrastructure, discuss its destiny with your potential managed security provider.
Feedback
When signing agreement with MSSP it must define, in addition to different SLA aspects, such thing as frequency of communications under normal conditions, when no attack is in progress or no incidents require immediate attention.
Always ask for clearly defined schedule of communications with MSSP. Those can be quarterly, monthly or weekly reports of number of vulnerabilities discovered and removed, incidents handled and so on, weekly video conferences with fixed duration, just to make sure that joint cybersecurity process goes on the way it has to.
Make sure that emergency communications are clearly defined as well, as this is what you are partnering with MSSP for. Readiness of MSSP to meet your expectations in this area will be a clear sign of smooth communications after the contract is signed.
