MSSP, Channel partners

Selecting the Right MSSP: A Chief Technology Officer’s Checklist 

Web Coder working on laptop computer in office

COMMENTARY: A chief technology officer (CTO) must answer several critical questions before choosing the right managed security services provider (MSSP) for your organization. Get it wrong and you could open the door to a threat actor, damage your operations, negatively impact income and business reputation, and introduce risks to employees’ ability to work. 

The first thing to consider is your unique security needs and evaluate any potential MSSP’s capabilities against those requirements. What are the prime factors involving technology and integration, service delivery and support, reputation and references, cost and value, compliance and legal considerations, and proof of concept and evaluations? 

You could get started by conducting a risk assessment to identify current vulnerabilities and critical security gaps. Of course, an MSSP or other cybersecurity vendor can help with this. Next, determine the services you feel you need, such as data, endpoint, identity protection, network monitoring, compliance support, etc. Then, finalize and document the budget and resources you have for cybersecurity. 

As you research and shortlist your MSSPs, use industry reports, analyst rankings, client references, and your own security reviews to identify reputable service providers, especially those with specializations in your industry. Additionally, it’s important to listen to the MSSPs and weigh what they feel you need. MSSPs will have insights you do not, and you should listen to their perspectives. 

A word of caution — and I can’t stress this strongly enough — if your MSSP does not emphasize recovery over resistance, their priorities are doing you a disservice. All the protection in the world does not guarantee that you will not be breached. However, recovery from a ransomware event can be assured — with the right data backup strategy and proper implementations. Therefore, assess the MSSPs against your own data protection and security standards. If the MSSP isn’t properly protecting its own data and assets, you shouldn’t expect it will effectively protect your data and assets. Don’t assume they have good standards and practices in place. And if you’re signing up for a “shared services model” where you have responsibilities for protections with them, make certain you understand who’s responsible for what. Never assume; rather, trust but verify! 

If I were to ask an MSSP one question to determine their suitability, it would be around their ability to protect data and quickly restore operations in the event of a breach to your IT network. How can they protect your data from encryption and retrieve it with minimal disruption to operations? Are their backup repositories “immutable,” meaning a threat actor cannot crack them? Immutable data backups are the real key to a comprehensive and effective cybersecurity program on the front lines of today’s global cyber war. It’s also good to know whether they are willing and able to take action during an active breach or event. Can they disrupt the kill chain, or are they only going to monitor and alert, leaving you to take all appropriate actions? 

As you get deeper into discussions with a prospective MSSP, review their technology stack and ensure compatibility with your infrastructure. Now, if you are someone representing an MSSP, do your homework in advance of the meeting with your prospective client so that you understand their unique issues, your compatibility with their technology infrastructure, and how you will mitigate any gaps or misalignment. 

CTOs should also examine the service level agreement (SLA) for incident response times, uptime guarantees, and penalties for noncompliance while confirming 24/7 support availability and escalation procedures. You should understand how they define “response.” Does an automated email/alert meet their obligations, or is a human being picking up the phone and calling if there’s a critical alert? These are very different actions on the part of the MSSP. It’s also a good idea to request a trial or pilot phase to evaluate the MSSP’s ability in real-world scenarios. 

Understanding metrics such as false positive rates, detection speed, and responsiveness is also critical in your evaluations. Many “protection” tools can run in a passive monitoring mode. This gives insights into what the tool finds and would potentially act upon without disrupting operations or impacting user experience. 

Overall, your MSSP should offer a collaborative approach to security. For that matter, you would be well served by establishing regular review cycles for performance assessment and strategy updates. Remember, following a systematic approach to selecting your MSSP allows a CTO to create a partnership that supports not only security and assurance of recovery but also long-term business goals.

MSSP Alert Perspectives columns are written by trusted members of the managed security services, value-added reseller and solution provider channels or MSSP Alert's staff. Do you have a unique perspective you want to share? Check out our guidelines here and send a pitch to [email protected].

Brandon Williams

Brandon Williams is the chief technology officer of Chattanooga, Tennessee-based Fenix24. Brandon has more than 20 years of experience in networking, infrastructure design, implementation and security. He finds the most rewarding experiences are blending technology with security, providing resiliency/resilience to the business while maintaining excellent user experience.

You can skip this ad in 5 seconds