In the Market for a MSSP? Ask These Questions First
The timing was right to ask Michael Wylie my question about what organizations should ask a of a managed security service provider (MSSP).
“This topic resonates well with me because I was just on the phone with one of my clients who’s evaluating SIEM and MSSP options,” responds Wylie, director of cybersecurity services at Richey May Technology Solutions and a former Department of Defense contractor.
An important topic indeed, he says, because he’s observed more organizations retaining managed services for security. While many large organizations have their own dedicated security team, small and midsize businesses increasingly know that they need a security strategy but also can’t afford in-house infosec security staff. In fact, research from MarketsandMarkets finds the managed security services market is expected to grow rapidly at a rate of over 14% and reach $47.65 billion by 2023.
But the growth of the market, the dire need, and the scramble to find skilled talent, says Wylie, are leading to a fast track for workers that cuts corners on quality and experience.
“I’m seeing more and more MSSPs trying to deliver SOC-as-a-service using subpar talent,” he says. “Authoring an offensive and defensive security course for a local California college, I saw a similar trend. My students who took their first security course and passed an entry-level log management certification were being gobbled up by MSSPs to work in their SOC. Having a 19-year-old security analyst who doesn’t know the OSI Model won’t provide much value to an organization outsourcing security services.”
So, how do you know your MSSP has experienced security pros working for you? What do business IT decision-makers need to ask to ensure they are getting a MSSP that can bolster their cyber defenses and is worth the cost?
Obviously, each business, and each industry, will have different needs in terms of technology and compliance mandates. Those are part of the nitty-gritty details you should get into when evaluating an MSSP. But here are some higher-level questions to ask as you wade through your options that can give you an idea of whether or not an MSSP is worth a closer look.
How much is this going to cost?
Ryan Weeks, CISO with Datto, a cybersecurity and data backup company, says its critical to find out what kind of technology investment a provider might require up front. He suggests asking:
Are you open to using our existing technology and security stack?
Weeks suggests this query because many providers will expect that you either buy new technology, add their technology, or introduce duplicate technology because their architecture requires it. Finding out before an engagement will minimize unpleasant surprises.
What is the long-term cost?
Humberto Gauna, an information security consultant at BTB Security, says this question is essential because “if you are spending capital dollars on equipment, you will need operational money to maintain it, and also to replace it later. Technology has a life cycle and should be considered in long-term planning.”
What is not included in the service?
“Businesses should absolutely understand what their requirements are and how the service provider is meeting those requirements,” says Gauna. “Too often, we see a new technology and service and it really doesn’t meet business requirements.”
(continued on next page: “How do you keep my stuff secure?”)
Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio
Article source: https://www.darkreading.com/theedge/in-the-market-for-a-mssp-ask-these-questions-first-/b/d-id/1336433?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple