The pressure and concern around security in today’s digital business world can be daunting. Some businesses are operating on tight budgets, don’t have the talent in-house to manage security projects, and some aren’t even aware of their vulnerabilities until it’s too late. Qualifying buisinesses are taking note and looking to outsource their security plights to vendors to ease the pain.
So what is a MSSP and what can they do for me? In short, a MSSP is a contracted vendor meant to help with security services related to technology used in business. MSSP services include but are not limited to owning the security of the network down to individual endpoints. They are often used as consultants for meeting certain business compliance standards where technology is the critical resource for transmission of data, finances, and business service.
If you find yourself in need of a Managed Security Service Provider for your business, follow these 5 action items for engagement:
1. Self-assess to discover weaknesses. The idea here is to understand and establish your business risk tolerance. Best practice would be to use already established frameworks like PCI, ISO, NIST etc. as a guide. This can prove to be more efficient and just as effective rather than trying to tackle any legal and/or regional regulations. Once you’ve uncovered security gaps, it’s important to prioritize the impacts to the business. How will this security gap or ‘risk’ affect business should it be compromised? Understanding your business risk makes it easier to rank thus determining the ‘business risk tolerance’. Rank your discovered gaps and prioritize the tasks necessary to close that gap. This very important first step will provide a means to establish a roadmap and help advance next steps.
TIP: Some gaps can be assessed internally. In-house talent and resource constraints should be considered for all discovered gaps during this step.
2. Identify selection criteria for a Managed Security Service Provider. Once you have an better understanding of your business needs from performing the discovery step mentioned above, you’ll be primed to deliver your needed services. Knowing what you need going into the engagement with a MSSP will be extremely beneficial. Ask the MSSP how they will deliver said services. Putting the ‘what’ and the ‘how’ on the table will be paramount to establishing a good working relationship. It will be critical to establish SLAs & incident response timelines in a statement of work to better set expectations between the two business entities.
TIP: Develop a RACI matrix (responsible, accountable, consulted, informed) with the MSSP to institute record which will help with the following next steps.
3. Project manage the onboarding process with your MSSP. Establish timelines and stick as close as you can to them. When you are agressively managing this process, it is possible to realize ROI of security dollars quicker than other business investments. Establish an NDA with the MSSP to cut through legal ambiguity and expedite the process. It is in both the business and the MSSP’s best interest to lay everything on the table so that business risks can be addressed openly and honestly. Allow for realistic timeframes to establish monitoring practices and metrics that bring value. Efforts made up front can reap great rewards down the line.
TIP: Understanding the maturity level of tools used by the MSSP to perform services will help further refine the management of the project to achieve success for meeting deadlines.
4. Establish clear lines of communication and dedicate your cause to continuously improve. We mentioned getting an NDA in place above. Establishing clear lines of communication will go hand in hand with your NDA and having an open door policy between teams, MSSP and the internal business, will aid in collaboration and resolution efforts. A seamless integration of tools including workflows, process, testing, and incident response will help both teams be able to maintain the RACI matrix mentioned in the tip above in step 2. Continuous improvement can be achieved by establishing a cadence of meetups with your MSSP to help them understand changes to the business where they should actively be aware.
TIP: Questions asked during continuous improvement meetups should be along the lines of: Are we still meeting the requirements of the business? Are there any industry or regulations changes that may affect the current services?
5. Plan B — Always have an out with your MSSP vendor. In this clause address items like data retention and requirements especially if the business must meet certain compliance measures. Also, should things go sour with the MSSP, ensure the business has a plan to recover data if necessary.
TIP: Get a termination clause built in to your contract.