Managed service providers (MSPs), sometimes called managed security services (MSS) or MSSP, play a very important role in protecting data and other digital assets and will continue to do so. Some of the benefits include, but are not limited to:

• Mostly predictable costs, including less burden on capital expenditure, and pay-as-you-go models
• Dedicated and informed subject matter experts, especially for compliance requirements and staff augmentation during a response
• Access to advanced technology and scalable solutions with reduced investment
• Improved downtime response and restoration
• Around-the-clock coverage, depending on what level of investment you are willing to make. 

All great stuff to improve your cybersecurity posture and minimize risk. But, like all good things, somewhere there is a cost that needs to be absorbed. That’s where an old business axiom comes in handy: good, fast, cheap – pick any two. Remember this saying as you decide which MSP to use. 

Take a look at some of the larger factors.

Read the Contract, Then Re-Read It

Do not be fooled; using an MSP to manage your security or recovery needs does not absolve you from carrying out certain tasks. You may be hearing more of the phrase ‘shared responsibility’ lately. It matters. Service providers can only take you so far. If you do not carry out specific tasks, you may find yourself on an island wondering what to do after an attack.

One of the simplest examples of shared responsibility comes from cloud service providers (CSPs) and disaster recovery practices. While not an MSP is the truest sense, the example is relevant. Simply being in the cloud does not always give you improved breach readiness. There are steps you need to take, such as configurations, paying for more services and regular upkeep. CSPs are amazing at recovering their services, but that does not mean an automatic recovery of your applications and data.

You may be thinking you are getting something on the cheap, but really, the piper comes for payment during disruption. Blind trust may result in a dark place. CISA gives a quick primer on what responsibilities could fall to the MSP and which to the customer.

What Place In Line Do You Have?

For those of us old enough to remember lining up to get a good seat at a movie theater – four hours for “Batman” in 1989 is my personal best – you are acutely aware of how times have changed. Those were the days of general admission (or first come, first serve). Today, you can buy your tickets online and, often for a premium, pick your exact seats, avoiding the lines. Your MSP may work the same way.

MSPs have multiple customers. It’s no surprise those who pay the premium will probably get better services. This problem may not be as great during an attack limited to just your environment. Rather, the problem comes when there is a widespread attack. The SolarWinds example is a case study of attackers targeting service providers and resellers.  

Who is fixing your house as the service provider is busy fixing theirs?

You need to have a good sense of your risk posture, something achieved through assessments, impact analyses and finding your recovery time and point objectives. If your recovery point objective and recovery time objective are say, four hours, but your service provider can only guarantee you eight hours during a large-scale attack, you may need to adjust your processes and expectations, start shopping or get ready to pay a premium.

An Impressive Target to Attack

Since an attacker is not bound by the rules of a decent society, don’t underestimate their creativity. Look at the cases of SolarWinds, Kaseya and, to some extent, Log4j as watershed moments. These incidents widely exposed the vulnerabilities of the supply chain. MSPs are just another piece of that same supply chain. If an actor feels the best vector to you is through an MSP, that’s the route they will take. 

The Laundry List of Questions 

The first thing a prospective customer should know about picking an MSP is that there is no right way. Rather, there is only the best answer for you and your organization. Therefore, to help you determine which is best, here is a list of questions you should ask before you decide. In no particular order:

• What are my responsibilities?
• What can the MSP guarantee? Any information or audits that can show past performance results?
• What are the service-level agreements?
• Where does the MSP store data or perform services? Could be an issue if you have jurisdictional requirements.
• Are my recovery requirements met in a worst-case scenario? Avoid ‘best case’ scenario planning, as you only get a skewed picture of response and recovery.
• Have I performed a financial analysis? Overpaying for services could mean a drawdown on resources for a more exposed area. Plan accordingly.
• What do the lawyers think of the contract? Any language in there that causes consternation, such as a force majeure, which could leave you stuck?
• What are my backup plans if this MSP cannot continue offering services or they go out of business?
• Am I vendor-locking myself by using this MSP?
• What levels of access would I need to give the MSP? Do they really need them? Do I create a new set of risks as I try to mitigate this one?
• Is a threat actor likely to target the MSP and if they are attacked, how does that impact me?
• What prioritization do I get, if any?

Remember, you inherit the risks of your service provider, which is why there are no clear answers. We have said it multiple times and it is worth repeating: your decisions always come down to your risk tolerance. Choose your dance partner wisely.