Written by Wen Sin LIM
There is a lot to consider when selecting the best Managed Security Service Provider (MSSP) for your business.
In fact, before you even start looking for a provider, you need to establish clear objectives for the MSSP whose services you are to engage. Do you need help evaluating an insider threat that should not be handled by your in-house team? Are you opting to outsource low-priority tasks because the security professionals in your organisation lack the bandwidth to handle them while they are focused on more critical, high-priority functions?
Regardless of the motivation, more and more businesses are looking to engage MSSPs. However, choosing the right one is not always easy, and many businesses make mistakes that end up costing them valuable time, money and resources.
Here are three of the most common mistakes to avoid when choosing an MSSP for your business.
1. Using Cost to Determine Effectiveness
While it is not objectively wrong to use cost to estimate the quality of security service rendered, it is neither right to assume that having a higher cybersecurity spending automatically translates to greater security. A recent study from IBM found that organisations with higher cybersecurity spending are actually more likely to experience data breaches than those with lower spending. This is likely due to the false sense of security that results from having more measures in place, which can lead to complacency and a lack of focus on actually securing data.
Every penny counts when you are running a business – whether you are a small business owner with constrained budget and resources embracing “the Cheaper the Better” philosophy; or a CISO in a large enterprise and can justify paying a higher premium in exchange for enhanced monitoring and compliance capabilities. If pinching pennies ensures that you are able to cover your bases and sustainably afford coverage over time without compromising other business goals, then you have an effective cybersecurity strategy regardless.
2. Not Doing Research
With so many options on the market, it can be tempting to just choose the first provider you come across, or to stick to brand name, pre-vetted MSSPs that come with years of experience. After all, they have top-notch reviews which is almost a security guarantee in and of itself, is it not?
It is not.
Security is risk-based, and since risk can never be fully eliminated, the concept of a security guarantee is essentially a fallacy. It also means that it is important to take the time to research each potential provider to find one that best meets your specific needs.
By that, we mean that you will want to make sure that the MSSP you work with is familiar with the type of data, systems, and applications your business uses, and is minimally proficient – if not experienced – with them. This is to prevent a costly scenario where you are made to choose between the technology you have bought and paid for and already have in play, and the MSSP who – after the fact – tells you that they will not or cannot use what you already have. Leading firms tend to have the capability to provide custom solutions tailored to your unique needs, but only for the right price.
Research also entails probing into their security strategy, understanding how the team stays current with their expertise, how they obtain intel on the latest threats, and how they are able to provide response around the clock.
You may additionally want to find out if they have worked with your competitors or other brands in your industry, and to make sure that they have a good reputation for uptime and customer service.
3. Neglecting to Read the Fine Print before Contracting External Services
Most businesses are misguided in thinking that contracting the services of an MSSP means outsourcing all their cybersecurity functions in its entirety. They rush to lock themselves into a long-term contract with a provider, only to realise much later that the MSSP they have engaged is not equipped to support them every step of the way.
In the event of a breach, depending on the terms of contract, your MSSP will either directly handle the incident response with you or hand it off to a third-party.
One thing is for certain though; they will not be liable for any additional legal fees incurred, nor will they take on any of the costs of repairing digital infrastructure and restoring data, which are, in present day, critical costs of doing business in the digital space, unless explicitly specified in your contractual clauses.
Further, some of the packages that MSSPs offer may seem great at face value but once you factor in all the software they require you to purchase – many providers will require that you either buy new technology, add their technology or introduce a duplicate technology because their architecture demands it – you may end up spending more than if you went with a different provider in the long run. Additional costs (in terms of labour and resource allocation) such as cost of implementation and staff training ought to also be considered in choosing your MSSP.
4. Avoid Making Costly Mistakes
Selecting a managed security service provider is a big decision for any business. Avoiding these three common mistakes is a first step in the right direction, but further thought needs to go into your considering which MSSP provides the best fit – value for money, industry expertise, etc. – for your specific needs.
The right fit should enable you to adopt a more targeted approach to track down serious threats and incidents, and to take on vulnerability remediation activities, instead of floundering about with more questions than answers.
IMMUNE makes finding the right services easy by vetting their risk profile. By conducting a security audit and a high-level examination of your third-party risk profile, our AI-powered SaaS platform provide you visibility and control over your MSSP.