Read to learn how to choose a quality MSSP, budget for the costs, and create a fair MSSP contract.
This post contains the text from the White Paper: How to Choose the Right MSSP for Your Small to Medium Business. Download the PDF below.
Not every business owner has the workforce to both find and resolve vulnerabilities and threats. Many small and medium-sized business owners turn to managed security service providers (MSSPs) to help with their business’s threat prevention, continued IT processes, and quick recovery in the likelihood of an incident.
An MSSP can offer a variety of outsourced cybersecurity services from a security operations center (SOC) on a high-availability or 24/7 basis. Additionally, managed services can be a cost-effective asset for a business if you budget and negotiate effectively. You want an MSSP that can tailor their services to your specific needs, budget, and environment. A managed security partner should give you peace of mind that your business will have continuity and resiliency.
The initial MSSP consultation process is vital but can be overwhelming and difficult to navigate. Even after implementation, organizations often don’t fully leverage their MSSP relationships.
This whitepaper aims to give small and medium-sized business owners the confidence to weigh the pros and cons of a managed security partnership, choose a quality MSSP, budget for the costs, and create a fair MSSP contract.
Using the questions posed in this white paper, you will be able to determine your security needs and goals to decide which MSSP is a good fit for your business.
Developing an understanding of the threat landscape, threat actor types, and motives is a massive undertaking while managing a small business. However, having a high-level knowledge of the cyber threats facing your organization can help you make good cybersecurity choices.
Business owners are struggling to balance their security needs and limited budgets. This often results in foregoing essential cybersecurity protections. The decrease in cybersecurity budgets combined with the increase in threat actor attacks has led to a dramatic change in the current threat landscape.
Many businesses have transitioned to remote work, but SMBs are typically less prepared to adapt to new technologies required for remote work. Threat actors are taking advantage of the vulnerabilities inherent to remote work, reduced workforce, and heightened stress levels in organizations.
Threat actors will take advantage of businesses of all scopes and sizes. If you have an Internet presence, even a small one, threat actors can exploit your network.
Threat actor categories include:
Threat actor motives will vary from crime to crime. These motives include:
Threat actors can use many techniques, tools, tactics, or procedures (TTPs) to take advantage of a business through advanced persistent threats (APTs).
Developing an understanding of the threat landscape, threat actor types, and motives is a massive undertaking while managing a small business. Most IT professionals won’t have the resources or time to solve your technical problems as well as study the current threat landscape.
You often will need to work with a cybersecurity expert who can dedicate the time to decipher what is happening in your environment. For example, if a threat actor enters your domain, a cybersecurity expert can create a strategic plan to remediate your vulnerabilities and get you safely back online quickly.
A cybersecurity expert can give you the correct information and data points you need to get your projects approved, budgets signed off, and support for taking actionable steps.
While engaging an MSSP should never be a fear-based decision, understanding some common critical threats and vulnerabilities can form the basis for your cybersecurity decisions.
Your staff and peers are often your first firewall against a threat.
Employees should have a clear understanding of social engineering, phishing emails, insider threats, and technical threats.
“There is a tremendous sense of urgency for businesses of any size to implement plans and solutions that address this changing threat landscape and a wide variety of threat actors.”
~ Matthew Heffelfinger, Director of SM SIEM Operations
Due to many businesses working remotely, an unprecedented level of technical vulnerabilities have been exposed. Remote worker systems often don’t have the same level of protection that an organization’s network would have. Continual cyber hygiene can offer remote workers additional protection, mitigating this risk.
Cyber hygiene is a set of procedures used to maintain security controls and system health. If it isn’t managed centrally using automated tools, cyber hygiene can be difficult to ensure. Some of these procedures might include:
Cyber hygiene prevents vulnerabilities from being exploited by threats. Having the correct cyber partner can help you maintain cyber hygiene and lower your environment’s risk.
Selecting a qualified, good-fit MSSP is a challenge. Just like a doctor may specialize in a type of medicine or a lawyer in a kind of law, there are many cybersecurity spheres. Cybersecurity professionals tend to specialize in several specific areas of focus. Many business owners may be tempted to partner with the lowest cost MSSP but could find in the future they are not getting their money’s worth or they are not a great match. This list is not exhaustive, nor will you likely ask every single question below. Reading over these example questions should give you an idea of what things you want to discuss with a potential MSSP, while also helping you further realize your business’s top needs and concerns.
Having a clear understanding of the specific services and programs an MSSP offers is essential. Consider what area of security they specialize in or if they try to do it all. Finding an MSSP that specializes in your specific area of business is critical to a successful partnership.
It’s better to have someone with real expertise in the areas that most affect you than a cybersecurity professional trying to do everything.
At first glance, this question may seem trivial. However, it’s vital to check an MSSP’s location to determine if they will be a good match for you. Look at their hours of operation, geographic time zones, staffing levels during non-business hours, and future plans. Can they support your business 24/7, 365 days a year? Can they handle the footprint of your current business needs?
Investigating a managed security partner includes looking at their entire operation from top to bottom. Businesses sometimes only make time to meet with the MSSP sales team. However, it is crucial to reach out and talk with staff beyond sales, including executives. Take the time to examine the quality of the consultants and security staff by considering the following questions:
You may want to explore the accreditations, certifications, and education of the MSSP organization. A great MSSP will gladly share this information with you while introducing you to their top staff.
You want an MSSP who works with businesses similar to your business in size, scope, and scale. You might ask, “can I speak with some of your past or current clients?”
An MSSP’s list of clients can be presorted to display the most complimentary, so be sure to perform your due diligence. When you review their examples, look to see if they resolve issues that are similar to yours. If the potential MSSP cannot provide examples highlighting their experience solving your industry's problems, they are not a good fit for your business.
It is crucial to know that this MSSP truly understands your business and will assist you with industry best practices.
As you grow and evolve, your MSSP should make new/expanded services simple, convenient, and affordable. These services can include new firewalls, endpoints, locations, and accounts. Services should be able to accommodate increased data usage while maintaining the confidentiality, integrity, and availability of your data.
Many MSSPs will claim to quickly scale their operations in size if your business requires it. However, this is often not the case.
You can better understand the validity of this kind of statement by asking to look at a sample of their clients so you can evaluate the sizes of organizations they currently service. If you see a mix of small to medium-sized businesses, including some Fortune 100 to 500 companies, you know they can scale to size.
The reality is that threats and vulnerabilities will keep changing. This requires IT and security professionals to spend time, energy, and labor hours to keep up, which could potentially mean your expenses will go up.
It’s essential to decide before committing what your budget is and work with an MSSP within that budget.
The cost of a data breach is often very steep, especially for small businesses. When compared with this cost, an MSSP is often worth the money and peace of mind.
Reputable MSSPs understand organizations will change as new technology emerges and adapt accordingly. The right MSSP will offer affordable plans to keep you up to date, while also educating themselves on current TTPs.
If you request the MSSP to explain the technology they want to install, you can then match it against recommendations from industry expert guides such as Gartner.
Observing an MSSP’s cybersecurity and physical security is an excellent way to obtain insight into their ability. If their own company is not secure, how can they help you be safe?
Consider this list of questions to get an idea of your MSSP’s security:
While you may not know all the cybersecurity technical jargon, there are ways to ask targeted questions regarding the physical and digital security of their operations, such as:
By researching and understanding your MSSP's personal security, you will gain an understanding of what they can do for your business.
Understanding their team structure can give you insight into their priorities. To do this, ask yourself the questions like:
Remember, choosing an MSSP means believing in their work and trusting them with your business.
Setting expectations with your MSSP is necessary for a trusting partnership. If you expect your MSSP to fix all your cybersecurity problems within the first 90 days, you will be disappointed. A good MSSP is honest with you, letting you know that cyber threats change rapidly. You may have a vulnerability one day that is entirely different later.
You’ll be able to discern an MSSP’s real intention by observing how much they listen to your problems. MSSPs who make assumptions about your environment without a full picture aren’t committed to helping your business strategy.
The worst MSSPs will offer an “all or nothing” model. Your small/medium-sized business might need something in-between. If you have some IT resources, then having an MSSP is a perfect addition to your IT arsenal. MSSPs that want to be your partner but don’t want to replace your IT staff are likely the better choice.
Not all MSSP help desks or support agents are created equal. Investigate the location of the MSSP’s support desk. Consider if the area is prone to natural disasters, such as earthquakes, hurricanes, snow, power outages. Inquire about their operating hours and remote worker coverage for holidays, including state-specific holidays.
Your MSSP likely can’t solve every cybersecurity problem. Some degree of outsourcing makes good business sense for you and your MSSP. Your job is to know who has your sensitive data if (and likely when) services are outsourced.
This information should be in your contract, with a clause stating that you will receive a notification when your MSSP uses a third party.
When researching MSSPs, your network and infrastructure will need to be scanned to find vulnerabilities, threats, and to ensure accuracy. This critical step is called the “discovery process.”
Studying your network provides an MSSP with relevant information. If the MSSP doesn’t take the time to do an accurate scan, they are not a good match for your business. Observe if the MSSP offers to scan your network based on your list of inventoried assets or if they only take your word on what you might have. If they suggest the latter, they are not interested in doing a quality scan for your business.
They should respect their other client’s privacy by not sharing specificities. However, they should seem thrilled to describe past hurdles, roadblocks, and other challenges. You want an MSSP who genuinely loves solving cybersecurity problems and who will bring that enthusiasm to your business.
Discover their differentiating factor and what makes them unique or better. This question should be another insight into their passion and energy for stopping threats. You should feel that they care about security, confidentiality, and integrity more than any other MSSP.
With so many MSSP options, how do you finalize your pick and choose objectively? If you are new to the world of cybersecurity, then selecting an MSSP can be challenging.
When deciding on which MSSP to use, your top priority should be to find an MSSP who is both budget-friendly and provides value for your money. You can do this by creating a comparison chart with your top 2-3 MSSPs side by side, then build a diagram showing everything of value in your business. Once you’ve completed this, have several people within your business (especially those impacted by an MSSP) rank and score the MSSPs. If you use weighted averages, you could also place a higher value on specific MSSP services.
By comparing 2-3 MSSPs in a chart with both rank and score, you can take some of the personal bias out of the decision-making process. Managed security partners are not cheap, and you want to get your money’s worth. The hard work you put into your MSSP decision process will result in a much better partnership.
Ultimately, finding an MSSP partner who has the right expertise for your business can help you identify your vulnerabilities and mitigate quickly.
When you sit down with MSSPs and learn what cybersecurity services they offer, you begin to get a better picture of your infrastructure, which can help drive your decision process. Your MSSP should try to mature your cybersecurity posture and add value to your business. Essentially, a great MSSP will try to build a positive relationship with everyone on your team while also securing your growing business.
MSSPs should not be seen as a hindrance to your operation but as a valued partner who has the security skills and experience to benefit your business. As you move on to the next stage of budgeting and contracts, don’t forget that you have more leverage than you realize.
The process of establishing pricing, a contract, and budgeting for an MSSP can be complicated. Contracts and long term deals often include difficult to understand legal language. This section covers items such as quality of service you expect to receive, data ownership terms, budget constraints, help desk coverage, reporting, meeting schedules, admin portals, and contractual (legalese) language.
Align your IT budget and leave wiggle room for service add-ons for future growth. Realize that whatever number is given to you by an MSSP is just a starting point. This process includes finalizing which services you need, based on investment and overall value.
Ask yourself these questions to create your budget:
MSSPs should be willing to work within your budget. Great MSSPs will provide customizable pricing, with tailored solutions, specific to your business needs. They should not try to upsell or charge you for services you don’t need. They should be motivated to get you the essential coverage to protect your business. Your chosen MSSP should show a willingness to offer multiple budget options, demonstrating both their flexibility and investment in your business.
MSSP pricing, packages, and set up fees can vary widely. The customization and pricing of packages can seem endless. If an MSSP’s pricing structure is purposefully so complex to prevent you from understanding it, be wary. Work with an MSSP who will take the time to explain pricing models to you.
Consider asking your MSSP these questions to establish a price agreement:
These types of fees can add up quickly. Perform your due diligence before agreeing to a pricing model.
It is common for MSSPs to charge an exorbitant markup fee on software/hardware. Clarify what this markup fee will be and notice if they are evasive. A great MSSP won’t charge you a markup for software.
Be aware of any potential hidden fees and expenses that could make your monthly bill skyrocket. Weigh the pros and cons if such fees exist.
For example, if you are paying a monthly fee to manage your business's security, why would you pay more to fix something covered in your monthly contract? If a device or collector needs replacement, who covers the cost of shipping and return? Is there a labor charge in the event you want someone from your MSSP to visit your facility and perform work?
Contractual considerations include quality of service you expect to receive, data ownership terms, help desk coverage, reporting, meeting schedules, admin portals, and contractual language.
The service level agreement (SLA) is an agreement between you and the MSSP. SLAs should be based on response times, guaranteeing your business a certain level of quality service and uptime, depending on the type of service you purchase.
Clarify in writing the level of service your business will receive. Record direct measurements and agreements for your company. For example, you should discuss the meantime to respond associate and meantime for remediation.
Defining your potential MSSP’s scope of work and services in detail is a critical step towards setting SLA expectations. If the MSSP won’t provide you with the scope of work and included services before signing your SLA, do not work with them. The scope of work should clearly state in your SLA the MSSP’s responsibilities.
Ensure that items quoted are in the statement of work clause. This strategy reaffirms to your MSSP that you are in control of the contract, with the ultimate decision to sign off or not.
Set expectations for your initial onboarding experience in writing. If an MSSP's onboarding is sloppy, your future experience will likely reflect this. Contractually, you want to know what to expect during the first 90 days of onboarding. Ask yourself and your MSSP these questions to get a better idea of onboarding:
Be sure that your MSSP contract contains a clause that allows you to leave in the first 90 days.
If onboarding doesn’t go smoothly and expectations are not met, you will need the option to move quickly before investing a lot of time and money.
You likely expect your MSSP to respect your environment and data availability, however, maintenance and updates will impact productivity. You’ll need to anticipate any downtime your business may have. It would be best if you defined this concern directly in your contract. Your contract could state the type of alertness or attentiveness you will receive from your MSSP.
You don’t want to find yourself in a situation where your network's availability is down because of your MSSP. Verify and confirm that your MSSP will always be available for contact with these kinds of concerns.
This is a relatively new topic that many businesses fail to address. Your business data is paramount and knowing what is happening with it is critical during your contract's life. Ask a potential MSSP questions like:
Remember that your data is the most valuable asset you have and protect it wisely.
Sometimes, a small/medium-sized business owner is in such a rush to sign the contract that they forget to give themselves a way out of a contract if they dislike the service.
Many MSSPS offer terms such as a one year to a three-year contract. The standard industry practice is that you will pay more for a one year contract during the “testing” phase. Smart business owners negotiate a “cause for termination” clause when signing a one year contract. However, you do receive better value, with more leverage, with a three-year contract.
No matter which term you choose, be sure to set a calendar appointment six months before your contract ends, since most MSSPs have auto-renewal plans established. If you like or dislike your MSSP, you can either begin bargaining for a better renewal rate or shop for a new MSSP.
You’ve established what your onboarding process will be like, but offboarding is equally essential. It is common not to think about the end of the SLA or contract until it is too late.
While your MSSP relationship is good, start the plan for your offboarding process. You want a solid offboarding plan that ensures continued security if you’re switching providers. A great MSSP will have a written offboarding process that ensures your business is not hindered or harmed.
A successful MSSP implementation depends on several factors. One key to successful onboarding is realizing that almost all MSSPs will need to install some software or hardware.
Onboarding comes with its own set of challenges based on your environment, infrastructure, daily business challenges, and staffing availability. Avoid your implementation dragging on with no sense of urgency. Both you and your MSSP need to make a quick implementation a priority. Set an expectation that within 60-90 days, every device, collector, or endpoint will be installed and operational.
Planning for the upcoming 90 days is essential for anticipating what your experience will entail. Find out if there is a waiting period or if you and your team can begin working with your MSSP the moment your contract is signed. Some MSSPs require a lead time to ensure they have all the right staff in place and project management for a successful implementation.
Great MSSPs will have an appointed project manager or dedicated customer service representative for your implementation questions and needs. If such a staff member exists, they will present customizable implementation options so you can choose what works best for your industry and business.
If the MSSP has past success onboarding clients in similar industries, this is a good indicator of how successful your implementation process will be. However, their success doesn’t always guarantee success for your unique infrastructure. Ensuring your business stays open and operational during onboarding should be everyone’s focus.
Great MSSPs will have written playbooks that combine their project management experience. A playbook can help minimize your potential fears during this process. If they don’t have a written playbook, your MSSP should provide you with a written roadmap illustrating the procedures during implementation.
The implementation process can be tricky. However, it is also an opportunity to get better acquainted with the entire MSSP team, not just the project manager or customer service representative. Your MSSP should communicate each step of the process, including what to expect before, during, and after implementation.
Your expectations are probably going to be different from your MSSP’s capabilities. Due to time constraints, your MSSP likely won’t fix every security issue you encounter. If you took the time to research extensively and ask questions before committing to an MSSP, you can feel better about managing your expectations.
Your MSSP’s focus will be to find security issues and give them to your IT staff to solve.
A successful MSSP relationship begins with you and your team. Work to build an IT staff who have the capability and knowledge to fix vulnerabilities as your MSSP discovers them. Your MSSP partnership is like any other professional relationship: communicate regularly with your MSSP, establish expectations before signing a contract, and do your part to fix vulnerabilities.
A great MSSP will want to be your partner and will help build your professional relationship. They will go above and beyond to find your threats, vulnerabilities, and risks in your environment. They will present information to you in a way that motivates you to resolve concerns with a sense of urgency. Your MSSP should be candid and open about their findings, helping your team perceive them as a coach, mentor, friend, and business partner.
Utilize your MSSP’s expertise to upskill and train your staff.
The first step for this type of MSSP utilization is to assign either one person or multiple people to work directly with an MSSP. Determine how you will work with them, including specifying communication type (e.g., email, phone calls, meetings). See if your MSSP offers any cybersecurity training. If so, require all of your staff to complete it.
Finally, find solutions for expediting your security response. Quickly responding to discovered vulnerabilities will better ensure your security and allow your IT staff to become better acquainted with remediation. Communicate with your MSSP if you have remediation questions and concerns.
As your MSSP finds vulnerabilities, and you respond quickly, trust in your relationship will grow stronger.
The cost of an MSSP should be reasonable and attainable. Picking and choosing specific services can help you keep your budget and avoid paying for unnecessary products.
Selecting and working with an MSSP can be overwhelming as a small or medium-sized business owner when almost infinite customization options exist. After reviewing this white paper, you should feel secure in your ability to weigh the pros and cons of a managed security partnership, choose a quality MSSP, budget for the costs, and create a fair MSSP contract. Partnering with an MSSP should give you the motivation to secure your small or medium business.
Remember, act quickly when you receive reports from your MSSP, communicate frequently, and hold regular cybersecurity training all of your employees.
SecurityMetrics offers many services that fit under a managed security umbrella, giving you total customization.
Identify your concerns and the products that fit, by considering these questions:
SecurityMetrics Pulse is the tool that feeds data into the SecurityMetrics Security Operation Center (called Threat Intelligence Center). Pulse discovers vulnerabilities, helping you understand what threats exist in your network to act accordingly. Pulse also provides easy visualization into the unseen areas of your extended network security by spanning across various locations in your organization. Once your vulnerabilities have been identified, Pulse provides a summary prioritizing your most critical vulnerabilities.
SecurityMetrics Vulnerability Scanning identifies your top weaknesses, ranks your risk, and organizes them into categories. These categories include misconfigured firewalls, malware hazards, and remote access vulnerabilities.
Webpage Integrity Monitoring (WIM) technology inspects and monitors your shopping cart to determine threats. SecurityMetrics’ Webpage Integrity Monitoring is a patented technology capable of finding and mitigating malicious code on your website. Identifying malicious code is especially crucial on payment pages where consumers enter their payment card information. If WIM locates malicious code on your website, it will send an alert to your staff. Ultimately, WIM works to ensure your site’s purchase page remains secure.
The goal of SecurityMetrics Managed Security is to be the right partner for you. Our cybersecurity experts strive to give you the best information and insight possible while providing you the customer service you expect.
Customize your managed security to cover your small business's specific needs. Learn which SecurityMetrics products can protect your small business.
We help customers close security and compliance gaps to avoid data breaches. Our forensic, penetration testing, and audit teams identify best security practices and simplify compliance mandates (PCI DSS, HIPAA, HITRUST, GDPR). As an Approved Scanning Vendor, Qualified Security Assessor, Certified Forensic Investigator, we have tested over 1 million systems for security.
.svg)
