Almost daily, we’re reminded of the IT skills shortage that has led to the rise of numerous managed service providers. While there are plenty of initiatives encouraging young people to build careers in IT, it’ll take time for these initiatives to provide a meaningful return. In the meantime, organizations will continue to turn to managed security service providers (MSSPs) and managed security operations center (SOC) providers to bridge the gap.
How to Choose the Right Managed Security Services Vendor
As demand grows for MSSPs, so do the number of vendors in the space looking to take advantage of a growing market opportunity. There are so many, in fact, that businesses frequently struggle to find the right vendor for precisely what they need.
Sure, you could make this decision by sending out a request for information (RFI) or request for proposal (RFP) and selecting the cheapest option or the best overall value on paper. More and more, I see this tactic replacing the effort and time it takes to select the right resource for both products and services. But the real problem with RFP-RFI is that your selection could be based on superior marketing rather than the specific capabilities your organization requires to streamline its use cases and goals.
Of course, you can look at lists of top vendors compiled by third-party analyst firms, but not all top vendors will work for every company across the board. Instead, you should make your decision based not on cost, but on a vendor’s ability to understand your business and provide a partnership that aligns with your business goals. The third-party resources can act as a supplement to help you check on this alignment, alongside testimonials about a vendor’s work.
How to Assess Your Return on Investment
The real challenge is whether or not your organization possesses the ability to assess the value of such a significant investment. That brings us right back to the selection process. If you consider the following points before you contract with an MSSP, you’ll have a way to evaluate your return on investment (ROI):
- Set clear objectives. Have high-level discussions, but be sure to provide real-life use cases to ensure that your goals are specific.
- Is the managed security service provider a generalist? Does it have experience managing the specific security solutions your organization has deployed? If you ignore this, you might need to prepare for a forklift upgrade when your vendor lacks experience in managing a specific tool. Consider whether it is acceptable to pay a vendor to train its staff to use the tools you deploy.
- Is the MSSP a glorified report generation service or a real managed SOC?
- Clearly define vendor and employee roles and responsibilities. Establish who owns what and determine the level of access or parameters on remediation.
- Build and validate a transition plan from the current paradigm that will ensure a successful deployment. A bad start tends to linger and become the norm.
- Don’t agree to a vague service-level agreement (SLA) or one that a vendor describes as its standard agreement. If you can’t figure out how the SLA allows you to have checks and balances to guarantee value and indemnify you when it doesn’t, don’t sign it.
- Understand your options to exit the agreement. Nobody wants to spend a lot of time discussing penalties or collecting rebates.
- When you talk to a reference account, find out if the vendor provides actionable information or just some indicators, leaving the organization to perform the actual research itself to find a resolution.
It’s important to remember that if the price is too good to be true, like all things in life, it probably is. As long as you engage your managed service providers as strategic partners and know exactly which services and solutions you’re looking for, you’ll get what you inspect, not what you expect.
QRadar Swat Team, IBM Security