So you want to outsource your digital security to a managed security service provider!

There are huge benefits to getting a reputable organisation to manage your digital security.   There are also large risk management component and a due diligence process to follow to ensure that you are getting the best available.

The outsourcing of your digital security involves an in-depth discovery process.   It is not one of those decisions that is solely based on price and cost.   Getting the right outsourcing company with the best reputation is critical to your Organisations viability.    Making a bad decision or decide on one based solely on cost can cripple your business.

These are the areas that you should look at prior to looking at the cost component:

  1. What are they going to do for your organisation?
    • A good Managed Security Service Provider (MSSP) will not only be looking at your firewall, anti-virus and patching.   A good MSSP will have a holistic outlook on how they protect their clients.   A good MSSP will ensure that they are in a position to implement “security change” to create a more holistic outlook on protecting your organisation.
    • That holistic outlook takes the following into account: (start with a protection philosophy and end with a compliance requirement)
      • Technology – UTM firewall, wireless, VPN, best practice and patch management.
      • Management – policy, Procedure, process, auditing, reporting and training and education
      • Adaptability – disaster recovery, business continuity, business resilience, backup and culture
      • Compliance – if you have done the above compliance is a relatively easy.
    • An MSSP will have the empathy and understanding to ensure your organisation is protected
  2. Do they have the expertise?
    • Most managed security service providers focus on one or two types of technology is specific areas.   They may have a focus on Cisco or WatchGuard or a specific AV, or a specific make and model of PC.
    • This level of specification ensures that the MSSP has the right level of education, training and capability within it ranks.
    • A good MSSP should have people who are experts in one or more areas of digital protection, if they do not then talk to another MSSP.
  3. Do they have the capability?
    • Most MSSP’s have the capacity to manage clients.   They will have trained people at every level of the organisation to ensure that they are servicing their clients to the best of their capability.   When it comes to capability the MSSP should have staff with professional qualification to support your business.
  4. What are they going to change to make their life easier?
    • There are changes that will be recommended by an MSSP for two reasons:
      • The systems that you have in place are not doing the job that they should be doing and need to be replaced with systems that are more secure.
      • The systems that you have in place cannot be supported by the MSSP because they do not have the expertise on staff.   So if you have recently invested $10K in a firewall and they want you to replace it with another one worth the same then you probably have the wrong MSSP.
  5. What benefits are you going to get out of it if you PARTNER with them?
    • The outsourcing of your digital security to an MSSP is a partnership.   They are there to protect your data, your Infrastructure, your clients and your staff.  You pay them to do that.   Make sure that all parties involved understand their requirements by putting a service level agreement (SLA) in place.   No SLA then no contract.
  6. How much will it cost?
    • Finally we have the cost.   You should always know how much your monthly digital security cost is going to impact your organisation.   If the month cost is going to change then once again you should be looking at alternatives.  The cost of an MSSP SLA should include monitoring, management and reporting, it will not include projects that are outside the scope of the SLA.

There you have it, if you employ a MSSP based solely on how much it will cost then your organisation will not have the right digital protection.

There are a large number of Organisations out there who think that they are MSSP’s but lack the expertise, capability and understanding that is required to protect your organisation

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.

Posted in IT Security, Managed Security Services, Managed Services and tagged , , , , , , , , .