05 Jun Why Use a Managed Security Services Provider (MSSP)?
Why should businesses, organizations, CISOs and IT departments embrace third-party managed security services providers (MSSPs)?
More than nine billion data records have been lost or stolen since 2013. Previously obscure InfoSec conversations are now front-page news.
Your CEO has been paying attention, and suddenly, your IT department has a budget for security and compliance for 2017. You remember taking a course on cybersecurity in 2003, but other than that, you’re not sure you have the chops to take on a full security management program. You remember a friend at another company mentioned that they use a Managed Security Service Provider (MSSP) for their compliance initiatives. MSSPs provide security management services to customers of all sizes (like your MSP).
But before you run off and find a new service provider, ask yourself the following questions:
1. What is Your Driver for Considering an MSSP?
When you start looking for an MSSP, you need to be clear about what you want from the engagement. Are you looking to achieve PCI compliance? Or do you just want to make sure that your network/environment is protected? Different MSSPs provide different services. If it’s compliance you’re after, you’ll want to look for MSSPs with a Qualified Security Assessor (QSA) on staff. If it’s threat detection and security management, it’s important to understand the abilities and limitations of the MSSP’s security analysts.
2. Do You Already Have Some Security Tools in Place?
Hopefully you’re already covering the basics and have a firewall and antivirus in place (if not, stop what you’re doing and go buy those now!). But beyond those tools, what else are you doing in terms of security? Do you have a vulnerability scanner? Are you monitoring for network intrusions? If you already have those in place, who is managing those tools? Do you need an MSSP to take that over or are you looking to do something beyond what you currently have in place? Each MSSP has their specialty but many of them are willing to work with you to define a package that will work best for your business.
3. How Much Budget Do You Have?
Every MSSP has a plethora of services that they provide with different levels of engagement. Understand what budget you have available for the year and what types of offerings the MSSP provides. In many cases, a basic package would consist of security monitoring, managed firewall, etc. but if you also need someone to investigate and respond to an incident, that will typically cost extra. Lastly, if budget is an issue do you have someone internal who has the skills needed to make up the gaps of your MSSP service?
4. What Areas of Security Are You Comfortable with Managing and Where Do You Need Help?
Similar to the question about budget, you need to evaluate what skills you have on your own team and how much time those employees have to dedicate to your security goals. If your IT team has someone with experience in security and has the time to monitor the security tools you have in place, then you may only need an MSSP to fill the gap of responding to an alert.
5. What Does Your Network Architecture Look Like and What Type of Environment Do You Need Help Monitoring?
Is most of your environment in the cloud? Is it on-prem or in a data center? Depending on what you want to monitor (maybe you only care about your HQ in Dallas or your PCI environment), you’ll need to look for MSSPs who can provide those services. If you’re already using an MSP service to host some of your critical servers, you may be able to ask them if they provide additional security services.
At the end of the day, the pros and cons of hiring an MSSP are completely dependent on the needs of your business and the resources you have available. There’s no silver bullet for managing security, but an MSSP might make your life a lot easier.