Using an MSSP sounds like a dream. Outsourcing all your cybersecurity requirements and responsibilities to a 3rd party so you don’t have to worry about budgeting, enablement, compliance documentation and audits or even your risk levels. What’s not to like? There are so many other things your business can focus on instead. That said, how much do you know about your MSSP and how much do they know about all of the above?
It’s easy to assume that an MSSP that offers security management services is both capable and competent, but this is not always the case. What can you do to protect yourself and your assets and ensure that you are making the right decisions when making this choice? Here are a few things to consider.
Use the resources you have to take the time to assess your MSSP. You may be leading the charge but someone on your team may understand the technical requirements better. Use them to ascertain the knowledge level of the people that you will entrust with your security standards and compliance levels. What qualifications do the team have and will those people be the ones working on your incidents and preventative measures? How much experience do they have being ‘hands-on’ with this kind of work?
Ensure they understand what is sensitive data. Not only what qualifies as sensitive data in the general scheme of things but what is also sensitive data for your business. Don’t just worry about PII data and GDPR. Ensure they understand any unique data security requirements for your organisation. Do you have creative projects that are not yet protected by a patent for example? This data and the asset that hosts the data mean that a loss to the same would be a significant if not detrimental loss to your business. There is no difference as far as data exposure is concerned and fines are being handed out.
Ask for case studies and references. They should be able to give you examples of times they got ahead of a breach, how quickly they responded to an active breach and how they catered for both instances. Do they have an automated response mechanism? Speak to people they have worked with for a long time and a short time. The quality of experience should be the same. Nobody wants to see new customers getting preferential treatment.
Since the pandemic, there has been an increase in cyber attacks. According to figures from the FBI’s Internet Crime Complaint Center (IC3) cyber crimes have increased by 300%. How has your chosen MSSP responded to this? Do they facilitate more skills training, more resources, and more equipment? Do they use AI or automation? How is this regulated by them concerning interacting with your data? Do they carry out practical research and execution of vulnerabilities in labs or do they use white papers and rely on third-party information for this? What parts of their work do they outsource, if any? Do they integrate with any other systems that may make your life even easier? Do they offer any app that you can use on your phone so that you can be made aware of any breaches or issues as soon as they happen? Do they even have a notification system for this? The answers to these questions should reassure you that they have a good handle on the increased threat landscape you face and are positioned well to protect your organisation.
It’s also a good idea to find out what technology they use so you can understand more about those tools. How do they identify vulnerabilities and the threat level of those vulnerabilities concerning your business? For example, data stolen from a sweet shop point of sale versus breaching a host on a water treatment plant. Both are significant independently but which would do more damage if someone tampered with the system?
There are so many things to consider but it’s worth spending time making sure the relationship is a good fit to your needs. Having the answers to these questions will make you feel better prepared and secure. Like any purchase, going into it without a thorough review is naive and will have negative consequences. Making a clear and informed choice about an MSSP, their capabilities and their integrity, leaves you knowing you can genuinely put your security concerns to the back of your mind and trust your MSSP to take care of it on your behalf. I would, however, recommend that you review and re-ask these questions on an annual basis at least. Then you can be free to get on with doing what really matters for your business.