• Managed Security Services, Managed Services

7 Steps to a Successful Partnership With a Managed Security Services Provider

History is filled with stories of seemingly great partnerships gone wrong. After successfully leading Roman slaves in a revolt that resulted in their freedom, Spartacus and Crixus argued about what to do next. They parted ways with their respective followers. Each was subsequently destroyed by the Roman Legions.

The songwriting partnership between John Lennon and Paul McCartney made The Beatles one of the most successful musical acts in history. Eventually, though, they went through an ugly public breakup. And for a while, they even used their prodigious talents to write songs attacking one another.

In the technology arena, Mark Zuckerberg and Eduardo Saverin co-founded a little social network called Facebook in their Harvard dorm. You’ve no doubt seen the movie or read the articles about the feud that ended their partnership.

In these instances and hundreds more, partners started with a similar vision and goals. Somewhere along the way, however, disagreements destroyed their successful relationships. The risk of conflict exists with any partnership, including the hiring of a managed security services provider (MSSP) to augment your IT staff’s capabilities.

Hiring an MSSP is an increasingly popular option to help you manage your information security, however certain steps must be taken to ensure a successful relationship.

7 Ways to ensure a successful partnership with an MSSP

There are seven key areas that a company should think about when forming a partnership with a managed services provider.

1. Define the engagement strategy

A great partnership begins with both sides understanding what needs to be included in the scope of work. This initial step is about more than service-level agreements (SLAs). It requires clearly defining the responsibilities of the MSSP and your company, respectively. That sounds obvious, but it is far from simple. Too often these partnerships go wrong because it is assumed that the provider will handle this, or your IT staff will handle that, and in the end, no one handles anything.

That’s when the finger-pointing starts.

To avoid this situation, you should spell out what the business is trying to accomplish overall, not just from a technology standpoint.

The initial MSSP onboarding process substantially affects the success of the entire relationship. Failure to transfer information and synchronize security processes often dooms the relationship. By understanding your organization’s goals in context, the MSSP may be able to make recommendations that support the business strategy beyond what you are doing currently. It is often helpful to obtain an outside perspective and gain insight into what other organizations are doing to address similar issues; a good MSSP can provide both.

Clearly defined roles, responsibilities, processes, and business goals can ensure both sides understand and agree to them. Communication is key. With a clearly defined plan, the MSSP can develop a contract that accurately reflects what your organization needs from them and deliver its services at those levels. They can create alerts and execute the change requests you ask for, not the ones you secretly want.

What to consider before you start the conversation:

  • If you cannot hire, don’t look at implementing a Security Information and Event Management (SIEM) solution.
  • If you cannot move your data outside the organization, don’t look at MSSPs.
  • If you cannot hire and cannot move the data out, concentrate on a managed SIEM model.
  • If you need help running your SIEM but also with ongoing monitoring, look for a hybrid model with MSSP managing your SIEM and helping with monitoring.

2. Understand the state of your environment

What technology do you have today? Is it current? Is it sorely in need of an upgrade? How well do individual components match up with one another? If you do upgrade, what effect will that have on your operation? Will it simplify things or add a level of complication?

The answers to those and similar questions can have a profound effect on the success of the transition.

You can assess these questions internally or use an MSSP to perform a complete assessment of your current technology, how it matches up to industry standards, and whether it aligns with your business goals. Having the MSSP perform this assessment will keep your resources free for more mission-critical work. It also allows you to take advantage of their experience to see where your environment is relative to similar-sized organizations.

If the assessment is a preliminary step that does not guarantee moving forward with the MSSP on the project, make that clear upfront. Most providers will be willing to perform this work as a separate, paid project.

When the assessment is complete, you will have a better understanding of how much work is required and how long the process will take to transition to a partnership with an MSSP. With this information, you can set timelines, establish realistic roles and responsibilities, schedule outages (if necessary) and prepare your organization for the transition.

3. Consider the gaps in your personnel resources

You are probably well aware of any personnel shortages or skills gaps within your IT organization. You should consider whether the MSSP has the expertise and bench strength to cover those areas—on a temporary or permanent basis.

With an MSSP onboard, there may be responsibilities your organization can hand-off for good, allowing you to focus resources on higher-value projects that elevate the IT organization’s visibility and standing within the business.

If you have had problems with training or retaining IT staff, you should anticipate making arrangements with the MSSP to cover areas outside the normal scope of work from time to time. Spell out how much is covered, when additional costs kick in (i.e., is it by hours, type of work, or another factor), and what those costs are. What about hours of coverage? The typical engagement has the MSSP providing service around the clock. If you have other ideas, make a note of that too.

The more precisely you can see and articulate your current environment, the better service an MSSP can provide on developing the contract. It will also help the provider make useful recommendations to improve your environment in the future.

4. Confirm communications procedures

Come to an agreement on how communications between your organization and the MSSP will work.

Be sure to have a robust feedback mechanism in place to ensure that little annoyances don’t escalate into serious issues. Be certain that both sides understand the format and frequency for status updates and feedback.

5. Keep requirements reasonable and establish expectations

You may find that your MSSP is able to respond to certain requests faster than your internal organization, either due to having deeper expertise or as a result of the additional bandwidth. It is important to set priorities and expectations within the partnership. Give the managed services provider guidelines to follow to ensure what you are asking can be reasonably accomplished in the desired timeframe and budget.

You could write timelines into the contract that require the MSSP to take action within certain parameters. In planning the overall timetable, keep in mind how long it takes your organization to provide approvals and ensure that the provider is aware of it.

If you don’t factor that part in, activities will likely show up as “overdue” sooner or later. This can lead to unnecessary frustration and can make it seem like the MSSP and your organization are underperforming in the partnership, when it is merely a misaligned expectation.

Be realistic in setting requirements—your transition and long-term operations will be much smoother.

Changes requested often cause friction in an MSSP partnership too. Agree on how changes will be handled before signing anything. While some providers don’t place limits on changes, others do. If you typically have 20 changes per month, but the contract specifies a maximum of 10, the additional, unplanned-for changes may add up quickly. The relationship will likely go sour just as quickly. You should also specify if your environment requires all changes to be handled as they come up, or if they can be batched on a regular basis (e.g. weekly).

6. View your provider as a real partner

While obtaining competitive pricing is an important consideration, the real business value in a partnership comes from being able to accomplish things together that you couldn’t have done separately. Overly aggressive attempts to win on price may backfire. Commitment to a strong partnership should have trust and engagement from both sides.

Bring in an MSSP that invests its time in understanding your business, rather than simply providing commodity services. You will be far more satisfied with the results. Help the managed services provider learn about your culture and how to work within it. Are there certain ways documentation or verbal reports should be presented? Is the culture formal and businesslike? Or is it more casual and relaxed? Are there any potential language barriers that should be addressed?

By making continuous improvement and fine tuning a joint effort, a good MSSP partnership can optimize your environment and lighten your workload by reducing unnecessary notifications (“false positives”) and required follow-up action.

7. Get your internal team onboard

Some people may see the MSSP as a threat to their jobs, while others may wonder if the provider will now be dictating to them.

Make sure your team understands that your purpose in engaging the MSSP is to take tedious work off their hands so they can focus on work that will add value to the business and enhance their careers.

If you paint the vision of what this partnership means for them, it will help ease the tensions and lead to a more cooperative atmosphere.

Invest time in trust and teamwork

Spartacus on his own may have been just another gladiator who perished in the arena. Neither Lennon nor McCartney achieved the level of success as solo songwriters that they did as a team. Zuckerberg and Saverin achieved their greatest accomplishments as a development team, not independently.

Many partnerships begin with the short-term mission of solving a specific issue or achieving a particular goal. But, for a partnership to endure, grow and accomplish everything it is capable of, it is essential to lay the groundwork first. To maximize your success, invest time in the beginning to work through the nuances of how the partnership should operate.

If you make that investment, the benefits of an MSSP partnership can grow beyond your original vision and continuously create greater value for your organization.

An earlier version of this article appeared on siliconangle.com.

Authors

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn

You Might Also Like

Subscribe to Edge Digest

Get monthly insights from IT experts delivered to your inbox

Most Popular Posts
8 Steps to Implementing a Knowledge Management Program at Your Organization
Cloud Computing Service Models
The Top 3 Cloud Computing Service Models
7 Steps to Effective Data Classification
7 Key Elements of a Successful Encryption Strategy
Mobile Device Security in the Workplace: 5 Key Risks and a Surprising Challenge
A Crucial Truth About SASE and Zero Trust You Need to Know
Cloud vs. Colocation: What’s the Difference and How Do You Find the Right Mix?
Busting the Top 3 Identity and Access Myths to Boost Security
10 Reasons Why Your Organization Needs Data Loss Prevention
Visibility for Security: What It Is, Why It Matters and How to Achieve It

Copyright © Sirius Computer Solutions, LLC. All rights reserved.

Contact Us