How do you keep my stuff secure?
If you're bringing a security services provider in to enhance your own corporate defenses, obviously you don't expect them to instead expose your organization further to risk. But that is a real possibility when working with any third party.
How do you stay current against emerging threats?
Gauna likes this question because it reveals where the MSSP gets its information about threat intelligence.
"Service providers should be collaborative in nature," he says. "No one has all the answers, but having several sources to validate is important."
Where are your employees based? Do you subcontract your work?
Gauna suggests asking questions like these to ascertain more about the MSSP's staffing procedures, including how they confirm the backgrounds of their employees.
"Having one source [as opposed to a web of subcontractors] is key," says Gauna. "This equates to a secure supply chain. This also ensures a standard level of service quality. Also understanding how calls are handled can be a tell as to who you are talking to when it matters most."
And back to Wylie's point from earlier, asking about experience levels is also important. Ask about hiring criteria.
How will my data be handled?
"In the era of cloud computing, we see more companies processing data in the cloud, and unfortunately that data is not always secure," says Gauna. "Processing data securely should be a core competency of security companies and [they] should have the ability to provide the details on how their client data is secured."
Do you 'get' my business?
Before going too far down the road with an MSSP, make sure they have experience in your industry, says Marty Puranik, founder and CEO of Atlantic.Net. The security needs of one vertical can be drastically different from another.
"You want them to have a cultural fit but also be familiar with your business type or business practices so they can help you the most," says Puranik. "For example, if you are a doctor's office and the MSSP primarily has retailers, they probably aren't going to be as familiar with best practices for your industry than someone who has many other medical professionals."
Are you also a business partner?
Executive management wants to know why they are investing money in security, and risk mitigation and defense are only part of the equation when you give them an answer. Retaining an MSSP means further business objectives. And the C-suite wants to know how they will help accomplish that.
Weeks' advice for getting at an answer to this topic: Ask "How will you assist in driving organizational changes, if needed, to help support our security objectives?"
Gauna would go at it more directly: "How do you enable my business?"
These services should enable you to conduct your business better," he says.
- Surviving Security Alert Fatigue: 7 Tools & Techniques
- 5 Things to Know About Cyber Insurance
- Everything You Wanted to Know About Security at the Edge But Were Afraid to Ask
- What's in a WAF?