Manage Learn to apply best practices and optimize your operations.

Questions to ask when choosing your managed security service provider

Outsourcing security services forces midmarket IT organizations to ask tough questions about a provider's capabilities and business model.

Managed security service providers (MSSPs) bring enterprise-class security services down into the price range of...

midmarket companies. They specialize in one or more areas of information security services and then scale their deployment by providing service to a large number of clients in a cost-effective manner. In these trying economic times, you may wish to consider using one or more MSSPs as a way to amplify your security dollar.

Determine Scope of Security Services to Outsource

Once you've decided that MSSPs are an appropriate part of your security mix, you'll need to identify the scope of services you wish to outsource. Are you looking for a vendor to serve as a soup-to-nuts security department? Or, in the more likely case, are you looking for products and services that allow you to extend the capabilities of your existing staff and use human resources more effectively?

Providers now exist for a wide range of security services, including:

  • Firewall management
  • Antivirus management
  • Intrusion detection and prevention
  • Virtual private networks (VPNs)
  • System configuration and management

The appropriate scope of use of MSSPs for your organization will vary depending upon the reasons you're outsourcing services and the benefits you hope to achieve. If you're looking to reduce staffing requirements, you may choose to go with an MSSP for a wide variety of services. On the other hand, if you're looking to gain best-of-class expertise in a particular area, your scope may be tightly focused. In either case, I strongly recommend starting small by engaging a provider to supply a single, non-critical service. This will give you an opportunity to gain experience with MSSP management and ensure this model is an appropriate fit for your organization.

What You Need to Know About a Service Provider

The most important thing to remember when you're selecting an MSSP is that you're selecting a company that you'll provide with the keys to your kingdom. Assigning this high degree of trust should be the result of a careful, deliberative process; security is certainly not a commodity to be awarded to the highest bidder. Here are some questions to ask during the selection process that will help you identify an appropriate security partner:

  • How long have you been in business? How many clients do you have? Can we take a look at your financials? You're planning to enter a long-term relationship with this firm and you have the right to ask them to open up their books for you. It's wise to make this request and, if you're not comfortable reading financial statements, ask your accountant to take a look at them as well. You want to be sure that the firm will be around next month to deliver on their promises.
  • What are your procedures in the event of a security incident? Can you share a few anonymous case studies? You'll want to be sure that the firm has strong procedures in this area and knows how to carry them out. Treat claims that they've never had a security incident with suspicion. Do you know any experienced organization that can honestly make this claim? I don't.
  • What certifications do you hold? What independent organizations have validated that the provider does what they claim to do? Along those same lines, you'll want to check references. If possible, talk to some clients that the salesperson doesn't suggest in addition to the "reference accounts." You'll learn a lot more that way.
  • What are your personnel security policies? At a minimum, you should be comfortable that employees of the MSSP go through a screening and retention process at least as rigorous as the one used in your organization.

Working with your Partners

Unfortunately for midmarket companies, they're on the wrong end of the Pareto principle and are part of the 80 percent of clients responsible for 20 percent of revenue. In turn, midmarket companies don't hold the buying clout of large enterprises. Fortunately, there are tactics that you can use to make sure your voice is heard above the din:

  • Join the customer advisory board. Most organizations have a group of a dozen or so clients that meet regularly to discuss enhancement requests and other issues. Serving on this board provides you with an opportunity to speak directly to key developers and management personnel and influence the future of the service.
  • Track support cases carefully. Keep an internal log of all the support cases logged by your organization to ensure that nothing slips through the cracks. This leads to my final recommendation…
  • Escalate judiciously but consistently. Unfortunately, it's true that the squeaky wheel gets the grease. You want to earn a reputation for consistently escalating cases where the MSSP doesn't meet the agreed-upon SLA. This will encourage support managers to react to your cases promptly. At the same time, you need to be fair so you don't become known as a problem client who makes unreasonable demands. It's a fine line to walk, but it's the best way to ensure that you receive the service you're purchasing.

Managed security service providers can serve an important role in your security architecture. They allow small and midmarket organizations to implement enterprise-class security services on a limited budget and in a flexible manner. Plan your deployment carefully and you may have the opportunity to develop a partnership that lasts for years.

Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a contributor to, a technical editor for Information Security magazine and the author of several information security titles, including the "CISSP Prep Guide" and "Information Security Illuminated."

Dig Deeper on Choosing security services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.