Security Services Evaluation Criteria and Considerations When Selecting MSSP Partner

There are many blogs, articles and whitepapers out there that discuss why you should partner with a Managed Security Services Provider (MSSP). But once you’ve made the decision to partner with a Managed Security Services Provider, what criteria should you consider?

Security Services Evaluation Criteria and Considerations When Selecting MSSP Partner

To learn more, read the article The Top Five Evaluation Criteria When Selecting an MSSP that discusses:

  • The five areas you absolutely have to consider when selecting an MSSP
  • Understanding the depth and breadth of an MSSP’s service offerings
  • Identifying the focus of your MSSP’s expertise

There are different types of Managed Security Service Providers (MSSPs) out there, and choosing one that meets the needs of your business requires a lot of research. When selecting an MSSP for the critical job of protecting your company’s information you want an MSSP who can, at a minimum, score well against these criteria, and at best, become your trusted partner in information security.

There are security product companies that offer managed services related to their particular product. There are MSSPs that offer both products and managed services, but often with a limited menu of security devices that they manage. And then there are MSSPs that provide end-to-end security services. From planning and design, to management and monitoring of your security devices, to incident response and forensics, they can fill any gap in your security program.

When evaluating potential MSSPs, be sure you are comparing apples to apples. There are a multitude of questions that you will want answers to when selecting a trusted security provider, but there are certain criteria that will ensure that the provider you choose has the right capabilities to keep your assets protected and your organization out of the news. Here are the top five criteria that you should consider when selecting an MSSP.

The MSSP’s sole focus is on information security services

A company that does not have a sole focus on information security services is not going to have the level of expertise needed to protect your information assets in the perpetually evolving threat landscape. Security companies that offer managed services but those managed services are not a big part of their business strategy (i.e., security device companies) may not invest in continuously improving that area of their business.

You will want to find out what their primary lines of business are and how much of their revenue is attributed to each, what percentage of their client base are managed service clients, and if their managed service business unit is profitable. These things will shed light on their ability to provide reliable managed security services.

The depth and breadth of their security expertise

All MSSPs claim that they have deep security expertise, but what exactly does that mean? Ask your potential MSSPs how many security analysts they have dedicated to their managed security clients. What certifications do they hold? Are they required to maintain a certain level of certification?

Always On

While these five criteria are by no means an exhaustive list of things to consider when evaluating potential MSSPs, they do assist in weeding out the companies who will not measure up to the highest security standards. When selecting an MSSP for the critical job of protecting your company’s information assets, you want an MSSP who can, at a minimum, score well against these criteria, and, at best, become your trusted partner in information security.

How many MSS clients do they protect globally? The larger the client base, the more threat intelligence there is flowing through the MSSP. And what happens with all that knowledge? In the era of big data, does the MSSP have a central repository for threat data to flow into that can be leveraged to provide predictive, continuous, and responsive protection to all the company’s clients worldwide?

MSSPs with a true research function should be able to use cyber threat intelligence collected from their worldwide client base to predict threats, proactively fortify defenses, continuously detect and block cyber-attacks, and have the information to help clients recover quickly from security breaches. An MSSP that also offers Incident Response services is a huge bonus!

The internal security practices of the vendor

“Do as I say, not as I do” is not the approach you want to see coming from any company that you are going to trust to protect your information assets. Evaluate the internal security policy and procedures of any potential MSSP, and ask them to document any industry standards that they have adopted or follow. Inquire whether they have had an independent review of their MSSP infrastructure and service (SSAE 16 review). If so, be sure to have them provide detail on this review, including who executed it, when it was executed, the scope of review, type of testing, frequency of testing and summary results.

The MSSP should also maintain full, dedicated Security Operation Centers (SOCs) in support of their MSS. These SOCs should be owned and managed by the MSSP, and they should be operational 24x7x365. MSSPs that use “follow the sun” coverage for their SOCs provide disjointed support for their clients when an incident is not resolved before they switch over.

Ability and willingness to aid in configuring the solution to meet your company’s needs

When it comes to protection of your company’s vital information assets, you need a solution that takes into account the nuances of your business, as well as any existing security infrastructure already in place. An out-of-the-box solution is almost never the right answer, as there are many factors that influence the type of solution your company may need. Your MSSP should be able to configure a customized solution that protects your assets while aligning with your business goals.

An MSSP also needs to be agile and flexible, incorporating the managed security solution in the best way to meet the needs of the client, including third-party software products or services. An MSSP should be vendor agnostic and have the ability to support multiple products in each security category, not requiring you to rip out and replace existing security infrastructure in order to utilize their products or services.

Industry recognition and awards

All companies can boast of their capabilities and accomplishments, but outside recognition of those accomplishments goes a lot further in validating those claims. When evaluating MSSPs, seek out industry recognition that backs up the claims they make. What do Industry Analysts say about them? Does the MSSP appear in any annual rankings? Where do they place in those rankings? Have they won any awards for their managed security services?

These types of recognition provide you with objective opinions and evaluations of an MSSP’s ability to live up to what they claim, and should be one of the criteria on which you make your decision.

Source: Secureworks