Almost daily, we’re reminded of the IT skills shortage that has led to the rise of numerous managed service providers. While there are plenty of initiatives encouraging young people to build careers in IT, it’ll take time for these initiatives to provide a meaningful return. In the meantime, organizations will continue to turn to managed security service providers (MSSPs) and managed security operations center (SOC) providers to bridge the gap.

How to Choose the Right Managed Security Services Vendor

As demand grows for MSSPs, so do the number of vendors in the space looking to take advantage of a growing market opportunity. There are so many, in fact, that businesses frequently struggle to find the right vendor for precisely what they need.

Sure, you could make this decision by sending out a request for information (RFI) or request for proposal (RFP) and selecting the cheapest option or the best overall value on paper. More and more, I see this tactic replacing the effort and time it takes to select the right resource for both products and services. But the real problem with RFP-RFI is that your selection could be based on superior marketing rather than the specific capabilities your organization requires to streamline its use cases and goals.

Of course, you can look at lists of top vendors compiled by third-party analyst firms, but not all top vendors will work for every company across the board. Instead, you should make your decision based not on cost, but on a vendor’s ability to understand your business and provide a partnership that aligns with your business goals. The third-party resources can act as a supplement to help you check on this alignment, alongside testimonials about a vendor’s work.

How to Assess Your Return on Investment

The real challenge is whether or not your organization possesses the ability to assess the value of such a significant investment. That brings us right back to the selection process. If you consider the following points before you contract with an MSSP, you’ll have a way to evaluate your return on investment (ROI):

  • Set clear objectives. Have high-level discussions, but be sure to provide real-life use cases to ensure that your goals are specific.
  • Is the managed security service provider a generalist? Does it have experience managing the specific security solutions your organization has deployed? If you ignore this, you might need to prepare for a forklift upgrade when your vendor lacks experience in managing a specific tool. Consider whether it is acceptable to pay a vendor to train its staff to use the tools you deploy.
  • Is the MSSP a glorified report generation service or a real managed SOC?
  • Clearly define vendor and employee roles and responsibilities. Establish who owns what and determine the level of access or parameters on remediation.
  • Build and validate a transition plan from the current paradigm that will ensure a successful deployment. A bad start tends to linger and become the norm.
  • Don’t agree to a vague service-level agreement (SLA) or one that a vendor describes as its standard agreement. If you can’t figure out how the SLA allows you to have checks and balances to guarantee value and indemnify you when it doesn’t, don’t sign it.
  • Understand your options to exit the agreement. Nobody wants to spend a lot of time discussing penalties or collecting rebates.
  • When you talk to a reference account, find out if the vendor provides actionable information or just some indicators, leaving the organization to perform the actual research itself to find a resolution.

It’s important to remember that if the price is too good to be true, like all things in life, it probably is. As long as you engage your managed service providers as strategic partners and know exactly which services and solutions you’re looking for, you’ll get what you inspect, not what you expect.

More from Security Services

Secure-by-Design: Which Comes First, Code or Security?

4 min read - For years, developers and IT security teams have been at loggerheads. While developers feel security slows progress, security teams assert that developers sacrifice security priorities in their quest to accelerate production. This disconnect results in flawed software that is vulnerable to attack. While advocates for speed and security clash, consumers must often pay the price when threat actors strike. 48% of developers admitted they were still shipping code with vulnerabilities in 2022. It’s clearly time for a change. Many believe…

4 min read

ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

7 min read

Detecting Insider Threats: Leverage User Behavior Analytics

3 min read - Employees often play an unwitting role in many security incidents, from accidental data breaches to intentional malicious attacks. Unfortunately, most organizations don’t have the right protocols and processes to identify potential risks posed by their workforce. Based on a survey conducted by SANS Institute, 35% of respondents said they lack visibility into insider threats, while 30% said the inability to audit user access is a security blind spot in their organizations. In addition, the 2023 X-Force Threat Intelligence Index reported that…

3 min read

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read