6 Questions to Ask Before You Hire a Managed Security Services Provider

Gartner forecasts that information security spending will reach $187 billion in 2023, an increase of 11.1% from 2022. In tandem with this spending, the analyst firm also

predicts that by 2025, a single centralized cybersecurity function will not be agile enough to meet the needs of a digital organization.

It comes as no surprise, then, that organizations are looking to managed security services providers (MSSP) to either augment in-house security teams or provide risk-management services.

“Many organizations don’t have the resources to build out a security operations center (SOC),” says Scott Barlow, vice president of global MSP and cloud alliances at Sophos. “Meanwhile, security is moving at a rapid rate, and it’s tough to do it yourself. With internal IT staff focused on internal needs, companies really need to think about 24-7 security and threat hunting across their network. That’s why we see a lot of co-managed IT and outsourcing tickets going to MSSPs these days.”

An MSSP may be the answer, but businesses should take the time to do their homework before signing on. Here are six essential questions to ask when seeking assistance.

1 – What types of certifications do your staff have?

“There are a lot of certifications out there,” Barlow says. “From CompTIA to (ISC)2, there are many ways security professionals stay up to date on skills and the latest threats. But it is essential that they are up to date on certifications because the industry is constantly evolving.”

It’s important to start by understanding your staff’s full suite of certifications, then determine what’s needed to fill any gaps, Barlow says.

2 – How do you secure on premise and public cloud assets?

Many organizations have assets in the public cloud in addition to on-prem. It is important to determine how your MSSP can secure both. “Public cloud does not mean Microsoft 365,” Barlow says. “It means that if you have workloads in Azure or Google Cloud Platform (GCP), can they confidently assure you that they can secure those assets and data? Ask how.”

3 – Can you support all my needs?

Identifying your internal IT and security needs is paramount. For instance, is mobile security important? How about server protection? Email security? Making sure an MSSP can address all your IT and security needs is critical to the mutual success of an engagement, says Barlow.  “You want to get into specifics and learn how the provider can secure your varied IT needs.”

4 – How do you handle security awareness training?

Awareness training, which teaches your employees about the role they play in helping to stop attacks and breaches, should be table stakes for an MSSP, Barlow says. Ask what kind of services your potential provider offers and how they make that training engaging and memorable.

5 – Do any of your tools pose a risk for our cyberinsurance coverage?

Customers should ask what tools an MSSP uses to manage their environment, specifically with cyberinsurance coverage in mind. “It is important to know those details and ensure you qualify for cyberinsurance if you are the victim of an attack or breach,” Barlow says.

6 – Are you financially sound and can you provide references?

Finding the right MSSP may require some investigating and interviewing, but don’t be shy about asking difficult questions.

“You want to do your due diligence to ensure the MSSP has the tools and services you need but is also solvent. If not, you might find yourself with a bunch of tools that don’t work,” Barlow says.

Click here to learn more.