Challenges with Managed Security Services
MSSPs are a great bargain but you have to find the right fit for the services that you need now, the services you will need in the future, and the size and market of your business. Where most MSSP engagements fail is that the customer doesn’t get what they thought they were going to get. Often times this is due to both parties not doing enough due diligence before signing a contract.
It is the customer’s responsibility to understand cybersecurity offerings enough to know what to ask for. MSSPs should be able to present their customer with a menu of service options. If all you need now is a SIEM provider, you might be pigeonholed when your program maturity evolves to need managed detection and response services, threat intelligence, and behavior monitoring. Customers need to really understand the capabilities of their potential service providers by understanding the markets they serve and by talking to existing customers.
Managed Security Services Provider Checklist
- Does the MSSP provide a menu of services that you will not outgrow as your cybersecurity program matures?
- Does the MSSP ask questions about your business, technology landscape, and current capabilities?
- Have you checked MSSP references with current customers?
- Have you obtained a sample SOW that clarifies what’s in and out of scope?
- What does the MSSP’s team look like in regards to size, skills, certifications, etc.
- What software tools are used in the delivery of services?
- Is the MSSP aware of regulations or compliance laws in your industry?
- Do you know exactly what the MSSP is going to provide, how they will provide it, and does the contract reflect your understanding?
- Do you understand what could drive future costs and is it palatable?
- How much will you have to modify your processes to align with the way the MSSP delivers their services?
- Do service level KPIs impact the provider enough to drive performance?
- Who owns the relationship and vendor performance in your organization?
- Is there an ongoing governance process in place?
- Do you like them? Do their other customer’s like them?
The primary thing to remember when considering Managed Security Services is that the ownership for the security program and for incidents will always reside with the customer — you cannot outsource responsibility.