IT Focus Area: managed services
June 23, 2016
6 Questions to Help You Find the Right Managed Security Services Provider
Cyber security threats are growing at an alarming rate and so is the security skills gap. Even the most well-prepared information technology (IT) teams are seeking trustworthy managed security services providers (MSSP) to maintain 24/7 security vigilance so they can focus on reaching their business-critical goals.
By now, security is a priority conversation in boardrooms across the world. In fact, the Cisco 2015 Annual Security Report indicates that 59 percent of chief information security officers (CISOs) consider their security processes optimized, and about 75 percent of CISOs believe their security tools are “very to extremely” effective.
However, attackers are changing their evasion tactics just as quickly as businesses are changing their protection strategies. Attackers are becoming more proficient at using gaps in security to conceal malicious activity, and often these gaps are completely avoidable. It has never been more important to make security a priority across the organization, from the boardroom and the IT team to end users. But, as the Cisco 2014 Annual Security Report showed, CISOs have also been struggling to hire people with up-to-date security skills due to a shortage of more than a million security pros in the industry.
“The sophistication of the technology and tactics used by online criminals—and their nonstop attempts to breach network security and steal data—have outstripped the ability of IT and security professionals to address threats,” the Cisco 2014 Annual Security Report states. “Most organizations do not have the people or the systems to monitor their networks consistently and to determine how they are being infiltrated.”
But the lack of talent isn’t stopping organizations from fighting the boom in cyber security issues. Frost & Sullivan researchers say more North American enterprises are turning to security partners than ever before to protect against advanced persistent threats, estimating the security services market will grow from $1.81 billion in 2013 to $3.25 billion by 2018.
Making the decision to involve outside help can be a complex process which can defer the introduction of critically needed resources. There may be concerns about loss of control or questions as to how managed services fit into a cloud services model.
With information security concerns and challenges at an all-time high and a global shortage of security professionals to address them, some enterprises are turning toward managed security services to help them.
Choosing the right managed security services provider to partner with can be tricky. Here are six questions you can ask to ensure your company finds the right MSSP partnership.
1. Why should you hire an MSSP?
It can be challenging for an internal IT department with limited resources to keep up with the complex and fast-moving world of technology turnover. An MSSP can provide different levels of support to meet changing requirements, saving an IT staff from keeping up with that Herculean task in addition to their day-to-day responsibilities.
A company may start considering an MSSP because they want to add capabilities they don’t already have, or they want to shift routine operational work off of their internal staff to free them for strategic work that adds more business value. As reflected in Cisco’s personnel shortage projection, it’s often the former.
An MSSP can also aide in troubleshooting, especially for higher level critical issues. Troubleshooting is often both urgent and time-consuming. It can be an “all hands on deck” activity that forces other important work to go by the wayside. An MSSP can relieve this sudden influx of work and communicate with internal staff as needed to achieve prompt and appropriate resolution.
In today’s global, online, 24/7 economy, there is no such thing as “normal business hours.” Many businesses need to be available to customers at all hours of the day, not to mention that cyber threats are not a nine-to-five occurrence. An MSSP can provide proactive 24/7 coverage, preventing IT staff from becoming overwhelmed and burned out. A good MSSP will have sufficient resources to provide remote management, and monitoring, and first-call support services on a 24/7 basis. This can translate into handling your needs around the clock or supplementing the coverage of an internal staff when they’re not available.
Multi-language support is another valuable capability some MSSPs can provide. Whether it’s for internal global users or to meet the demands of various customer segments, some MSSPs can help companies get on the fast track to overcoming language barriers.
2. What kind of facilities does the MSSP have?
The best MSSPs have a high-quality, finely-tuned command center that is fully loaded with the latest technologies, in addition to a lab that can mimic your business’s internal environment to debug any issues the organization is having without affecting production systems.
Organizations can tap into the command center and a lab to take advantage of capabilities they may not have on-premises, reducing some of the “keeping the lights on” workload, and testing solutions before they’re implemented.
When making a decision between MSSPs, make sure their command center has all the certifications required for the technologies it will be using. In addition, an MSSP should hold certifications that point toward the maturity of their internal process. Don't be shy. Look under the hood and ask about the MSSP's organizational structure, procedures, processes and internal controls. Examples of where to start include ISO standards, and SSAE16.
A good MSSP will also have full redundancy and disaster recovery capabilities with automatic failover should the main command center or on-premises data center go dark. Even a few minutes of downtime can cost millions of dollars. Companies should be protected from that revenue and productivity loss.
3. What will the day-to-day be like?
An MSSP should feel like an extension of the company’s IT organization. For example, while day-to-day monitoring and response will be managed by the MSSP, an IT organization will still retain control over the policies and protocols followed. While some organizations assume they’re going to hand over certain services and wash their hands of them, that’s not the case in a good MSSP relationship.
To seamlessly collaborate, it’s important to have the right tools, such as a portal that provides the client with immediate access to day-to-day communication with the MSSP, project status updates, troubleshooting requests, and reports on service levels. There should also be an effective ticketing system that makes it easy to exchange information and provide updates, as well as a knowledge repository so both sides can share best practices, standard operating procedures, debug methods and other critical information.
The MSSP should be prepared to report on any service level agreement (SLA) that is defined, including response time, notification time, accuracy of performing change requests, uptime of devices, and availability of services or hardware. IT teams can also request daily reports such as managed intrusion protection results. If the MSSP is participating in change requests, you should also be able to obtain a report on the success of testing.
4. How strong is their skills "bench"?
The better the team, the better the performance, and it starts with individual certifications. Look for an MSSP whose experts are constantly learning and keeping up with the latest technologies. Certifications are not only a measure of knowledge, they’re also an indicator of a dedication to excellence.
Explore if the MSSP provides a career path for their staff members to gain more expertise and responsibility, especially for the junior-level staff. Nothing is more frustrating than building a working relationship with someone at a partner company only to see them move on in order to take advantage of a better opportunity somewhere else.
5. How strong are their relationships with the manufacturers?
No matter how good an MSSP is on their own, there will be times when they’ll need to involve the manufacturer of the technology being used to resolve issues. Certifications and partner status is a good indicator of their relationship to suppliers. If they don’t have a partner status, or if they have a very low one, it may indicate they don’t have the clout they’ll need to resolve issues promptly in urgent times.
You can also check whether the MSSP has direct access to manufacturers’ L3 engineers, in which provides expert help to solve the most complex issues. They should also have access and experience with the manufacturers’ specialized support and tools. If there comes a time when you need help at the highest level, you won’t want guesswork.
6. Is their team a good fit for your team?
Ensure there is a cultural match between your IT organization and your MSSP. Today’s market is overflowing with managed service providers and every MSSP is not a match for every organization.
A large MSSP might be good at servicing a widely-dispersed workforce but not so good at providing a focused, customized offering the way a small or mid-sized MSSP does.
The key is to identify and prioritize needs, and then find the MSSP that best matches those priorities. They may not be able to fulfill everything on a wish list, but you need to know they can handle the more critical ones.
Fill Your IT Security Skills Gap with the Right MSSP
The growing shortage of technology and security professionals in the market place is already leading many companies to work with an MSSP. Couple that stat with the fact that cyber threats are growing 14 percent year over year and you have an even stronger argument to develop a long-lasting and trustworthy MSSP relationship. Shifting part of your IT organization’s security infrastructure into the hands of a qualified MSSP with cutting edge security skills, services, and technology can not only save you time and boost productivity, it can also ensure a stronger security strategy.
An earlier version of this article was published by Information Age.