Companies are turning to fully managed information security services providers for a variety of reasons these days, but there are some key issues you really need to understand before signing on the dotted line. A Managed Security Services Provider (MSSP) will offer a variety of services from consulting to full Cloud computing, but not all MSSP’s operate at the same level. You must know what is important to you and your business, and then execute your due diligence in selecting a provider. Here are some core questions to consider.
1. Are they truly 24x7x365?
This is a core issue because it will drive other considerations. If they are truly staffed and actively available 24×7, then you can be confident that response times in the event of an issue will be kept to a minimum. But if they go “dark” during off shift and weekend hours, then you will need to understand their response to time commitments and procedures. A lot of system repair and recover work which used to require hands-on work can be done remotely now, but there are still those issues that require boots on the floor. How long it takes for them to get to the location can be a critical decision point.
2. What is their Incident Response Plan?
Do not just assume every MSSP has one, or that it will be sufficient to meet your requirements. By asking about it up-front, you can determine if a particular provider is adequately prepared to meet your needs. If you experience a cyber attack, the type of business you are in will likely dictate many elements of service restoration and evidence collection which may be necessary for pursuing legal actions. Your MSSP’s Incident Response plan will need to accommodate your requirements. Having details around who will communicate with law enforcement, customers and media should be part of the plan to avoid missteps by either you or the MSSP.
3. What is actually included in the “Managed” part?
Leave no assumptions on the table! MSSP firms may manage anything from just the physical environment all the way to application performance within your servers, but you absolutely must be clear on this point. The good part is you may not want them all up in your business, monitoring transactions on your server, but if they are not, then you need to own that portion of the monitoring. The key is assumptions will lead to problems – make sure you are clear on this topic.
This is in no means an exhaustive list of the questions that you might need to consider, but the intent is to get your mental gears grinding. Your specific business, as well as the industry segment you are in such as healthcare or retail, should drive the conversation with service providers. Knowing that it is not a cookie-cutter industry, make certain you find an MSSP that can and will meet your specific needs, and work with you as those needs change. And a word of caution…any MSSP who is threatened by, or unwilling to address, a line of questions like this is likely going to disappoint you when problems arise. Whether from a lack of experience or just trying to keep costs down, if they have no plans for when things go wrong, beware! It’s your business, make sure your MSSP will treat it with the same care and concern as you!