"[SMBs] -- not providers -- are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider," warns Dwayne Me, CTO of Tripwire.
That is why it is so important for an SMB to really understand what it needs an MSSP for, to thoroughly investigate and evaluate potential service providers and to set up rules of engagement that will give the organization the best risk mitigation for its MSSP spend.
SMBs engaging with potential security service providers before they even really understand where their biggest risks are puts them in a tricky spot.
"Due to lack of internal resources, they let the MSSP or security service guide tell them what they need," says Andrew McAllister, managing director of Resolute IT Services. "It should be the other way around."
[What kind of security services will suit your SMB? See Six Security Services Every Small Business Must Have.]
If the SMB lacks the internal resources to evaluate needs, then it could pay dividends to hire two firms: an independent third party to evaluate your needs and another vendor to fill them.
"If you're getting your needs evaluated from the person selling you the service, you are in serious trouble," says Matt Malone, consultant for Assero Security. "Never have the fox build the hen house, then guard it. Often a third-party evaluator will end up saving you money."
Regardless of whether you have someone in-house or outsourced to do the risk assessment, the idea is to develop a basic security plan that's lined up with the way the business works.
"Map out business processes that the company uses. Then the technology can be mapped against the business processes," McAllister says. "The company should then analyze based on company policies, government regulations, resources, budget, risk appetite what their security needs are, what is currently covered in-house, and what needs to be shored up."
First thing's first: It might be tempting to just hire your normal managed service provider to handle the security work, too, but don't do it reflexively, warns Dominique Karg, co-founder of AlienVault.
"You can have someone who's good at setting up your network, upgrading your windows machines, and configuring your printer, and they might see security as a good way to increase market presence," Karg says, "but not be skilled in it."
Often one of the big mistakes SMBs make when going after an MSSP is not really understanding what's managed in the bargain, says Brian Herman, vice president of managed security sales at StillSecure.
"MSSP offerings can vary from basic management -- handling updates and requested changes -- to much more advanced management with active security event monitoring and response by security professionals," Herman says.
At the most basic level, a prospective service provider should be able to capably explain to an SMB executive the whys and hows of its offerings in plain English.
"If I were an SMB looking at a prospective MSSP, I would ask them why they are securing the things they are securing," says Justin Strong, senior global product marketing manager for Novell. "If an MSSP cannot explain in terms that matter to me, they don't know my business well enough to secure it."
But looking under the covers, the service provider needs a service-level agreement (SLA) that backs up its claims. Security experts across the board say that reading through an MSSP's SLA terms with a fine-toothed comb is one of the most essential parts of evaluating prospective service providers.
"Read the SLA. Check with existing customers [to see] if they're meeting the SLA conditions," says Pierluigi Stella, chief technology officer of Network Box USA. "Ensure the SLA has acceptable terms. And read it, really! You have no idea what you may find hidden within the fine print!"
Performance language is a dead giveaway to potential gotchas.
"Many MSSPs have loosely defined performance clauses that easily get them off the hook in the event of a security breach," says Greg Grant of ControlScan Managed Security Services. "Not only should the MSSP's SLA include language around 'uptime,' it should also be very clear on what security duties the company will perform and in what time frames."
Grant warns SMBs to look for SLAs that focus on detection rather than prevention. These types of services may be better suited for larger companies that have trained in-house staff ready to deal with the threat, he says.
"SMBs typically don't fall into this category and need preventative services," he says. "In other words, if the MSSP requires participation on the part of the client and they don't have resources to assist, it's not a good fit."
As important as SLAs are, though, it is important not to lose track of a forest for the trees. A big part of working with an MSSP is finding one that understands the organization's business and can tailor its services accordingly. This means evaluating the service provider's business as a whole and doing the necessary reference legwork to make sure it keeps its customers satisfied.
"Some people treat the SMB space as its own vertical or industry segment -- it is not. A retailer with 100 employees is not the same as an intellectual property legal practice with 100 employees," Strong says. "While there is enormous overlap on what things are being secured and how, what I would want to have is an MSSP that knows what keeps me up at night and makes it as easy as possible to implement the right security policies for me."
As a company evaluates service providers, reference calls are crucial. As an added twist, dig deep into a company's references.
"Ask for MSSP clients that have left, not current ones," says Ken Stasiak, CEO of SecureState.
Setting Rules Of Engagement
Once an organization finds the right service provider, it is crucial to set the right rules of engagement -- and get those rules in writing. In addition to having solid SLA terms, contract language that allows for an easy exit will ensure you're not on the hook if things go south -- and it offers a bit more negotiation leverage if the provider knows it doesn't have you on the hook.
"Have a contract that allows you to exit if the deliverables that you are getting are not what you expected or don't match what was promised," says Jeremy Littlejohn, chief analyst and co-founder of MyITAssessment. "Of course, this means you needed to clearly define the deliverables ahead of time. 'Keeping you secure' is not a deliverable."
One of those deliverables should be regular, detailed reporting, Grant says, a requirement that grows in importance if the SMB is under any kind of compliance scrutiny by regulators or customers that have to answer to regulators.
"The business owner should receive reports that contain actionable information, not a bunch of technical data that means nothing to them," he says. "Reporting should provide clear steps and processes to help ensure tight security and, if possible, provide information relative to physical security as well."
Finally, SMBs would do well to build a right-to-audit clause into the contract, Stasiak suggests.
"[Perform] blind tests to determine if the service provider is performing as intended, especially if the MSSP is monitoring systems and/or processes," he says.
If the service provider insists that it has internal audits to prove its controls, press hard for third-party inspection and make that investment regularly, says Stella, who suggests quarterly audits. It may be easier to have the MSSP do scans or pen tests themselves, but this is not the most secure route.
"SMBs are notorious for using one vendor for all services. They trust the MSSP, and it is easy. However, many times the MSSP is auditing or testing themselves," Stasiak says. "If they are performing external monitoring, do not have them do external scans or penetration testing."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.