The timing was right to ask Michael Wylie my question about what organizations should ask a of a managed security service provider (MSSP).
"This topic resonates well with me because I was just on the phone with one of my clients who's evaluating SIEM and MSSP options," responds Wylie, director of cybersecurity services at Richey May Technology Solutions and a former Department of Defense contractor.
An important topic indeed, he says, because he's observed more organizations retaining managed services for security. While many large organizations have their own dedicated security team, small and midsize businesses increasingly know that they need a security strategy but also can't afford in-house infosec security staff. In fact, research from MarketsandMarkets finds the managed security services market is expected to grow rapidly at a rate of over 14% and reach $47.65 billion by 2023.
But the growth of the market, the dire need, and the scramble to find skilled talent, says Wylie, are leading to a fast track for workers that cuts corners on quality and experience.
"I'm seeing more and more MSSPs trying to deliver SOC-as-a-service using subpar talent," he says. "Authoring an offensive and defensive security course for a local California college, I saw a similar trend. My students who took their first security course and passed an entry-level log management certification were being gobbled up by MSSPs to work in their SOC. Having a 19-year-old security analyst who doesn't know the OSI Model won't provide much value to an organization outsourcing security services."
So, how do you know your MSSP has experienced security pros working for you? What do business IT decision-makers need to ask to ensure they are getting a MSSP that can bolster their cyber defenses and is worth the cost?
Obviously, each business, and each industry, will have different needs in terms of technology and compliance mandates. Those are part of the nitty-gritty details you should get into when evaluating an MSSP. But here are some higher-level questions to ask as you wade through your options that can give you an idea of whether or not an MSSP is worth a closer look.
Ryan Weeks, CISO with Datto, a cybersecurity and data backup company, says its critical to find out what kind of technology investment a provider might require up front. He suggests asking:
Are you open to using our existing technology and security stack?
Weeks suggests this query because many providers will expect that you either buy new technology, add their technology, or introduce duplicate technology because their architecture requires it. Finding out before an engagement will minimize unpleasant surprises.
What is the long-term cost?
Humberto Gauna, an information security consultant at BTB Security, says this question is essential because "if you are spending capital dollars on equipment, you will need operational money to maintain it, and also to replace it later. Technology has a life cycle and should be considered in long-term planning."
What is not included in the service?
"Businesses should absolutely understand what their requirements are and how the service provider is meeting those requirements," says Gauna. "Too often, we see a new technology and service and it really doesn't meet business requirements."
(continued on next page: "How do you keep my stuff secure?")
If you're bringing a security services provider in to enhance your own corporate defenses, obviously you don't expect them to instead expose your organization further to risk. But that is a real possibility when working with any third party.
How do you stay current against emerging threats?
Gauna likes this question because it reveals where the MSSP gets its information about threat intelligence.
"Service providers should be collaborative in nature," he says. "No one has all the answers, but having several sources to validate is important."
Where are your employees based? Do you subcontract your work?
Gauna suggests asking questions like these to ascertain more about the MSSP's staffing procedures, including how they confirm the backgrounds of their employees.
"Having one source [as opposed to a web of subcontractors] is key," says Gauna. "This equates to a secure supply chain. This also ensures a standard level of service quality. Also understanding how calls are handled can be a tell as to who you are talking to when it matters most."
And back to Wylie's point from earlier, asking about experience levels is also important. Ask about hiring criteria.
How will my data be handled?
"In the era of cloud computing, we see more companies processing data in the cloud, and unfortunately that data is not always secure," says Gauna. "Processing data securely should be a core competency of security companies and [they] should have the ability to provide the details on how their client data is secured."
Before going too far down the road with an MSSP, make sure they have experience in your industry, says Marty Puranik, founder and CEO of Atlantic.Net. The security needs of one vertical can be drastically different from another.
"You want them to have a cultural fit but also be familiar with your business type or business practices so they can help you the most," says Puranik. "For example, if you are a doctor's office and the MSSP primarily has retailers, they probably aren't going to be as familiar with best practices for your industry than someone who has many other medical professionals."
Executive management wants to know why they are investing money in security, and risk mitigation and defense are only part of the equation when you give them an answer. Retaining an MSSP means further business objectives. And the C-suite wants to know how they will help accomplish that.
Weeks' advice for getting at an answer to this topic: Ask "How will you assist in driving organizational changes, if needed, to help support our security objectives?"
Gauna would go at it more directly: "How do you enable my business?"
These services should enable you to conduct your business better," he says.
Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio