Almost daily, we’re reminded of the IT skills shortage that has led to the rise of numerous managed service providers. While there are plenty of initiatives encouraging young people to build careers in IT, it’ll take time for these initiatives to provide a meaningful return. In the meantime, organizations will continue to turn to managed security service providers (MSSPs) and managed security operations center (SOC) providers to bridge the gap.

How to Choose the Right Managed Security Services Vendor

As demand grows for MSSPs, so do the number of vendors in the space looking to take advantage of a growing market opportunity. There are so many, in fact, that businesses frequently struggle to find the right vendor for precisely what they need.

Sure, you could make this decision by sending out a request for information (RFI) or request for proposal (RFP) and selecting the cheapest option or the best overall value on paper. More and more, I see this tactic replacing the effort and time it takes to select the right resource for both products and services. But the real problem with RFP-RFI is that your selection could be based on superior marketing rather than the specific capabilities your organization requires to streamline its use cases and goals.

Of course, you can look at lists of top vendors compiled by third-party analyst firms, but not all top vendors will work for every company across the board. Instead, you should make your decision based not on cost, but on a vendor’s ability to understand your business and provide a partnership that aligns with your business goals. The third-party resources can act as a supplement to help you check on this alignment, alongside testimonials about a vendor’s work.

How to Assess Your Return on Investment

The real challenge is whether or not your organization possesses the ability to assess the value of such a significant investment. That brings us right back to the selection process. If you consider the following points before you contract with an MSSP, you’ll have a way to evaluate your return on investment (ROI):

  • Set clear objectives. Have high-level discussions, but be sure to provide real-life use cases to ensure that your goals are specific.
  • Is the managed security service provider a generalist? Does it have experience managing the specific security solutions your organization has deployed? If you ignore this, you might need to prepare for a forklift upgrade when your vendor lacks experience in managing a specific tool. Consider whether it is acceptable to pay a vendor to train its staff to use the tools you deploy.
  • Is the MSSP a glorified report generation service or a real managed SOC?
  • Clearly define vendor and employee roles and responsibilities. Establish who owns what and determine the level of access or parameters on remediation.
  • Build and validate a transition plan from the current paradigm that will ensure a successful deployment. A bad start tends to linger and become the norm.
  • Don’t agree to a vague service-level agreement (SLA) or one that a vendor describes as its standard agreement. If you can’t figure out how the SLA allows you to have checks and balances to guarantee value and indemnify you when it doesn’t, don’t sign it.
  • Understand your options to exit the agreement. Nobody wants to spend a lot of time discussing penalties or collecting rebates.
  • When you talk to a reference account, find out if the vendor provides actionable information or just some indicators, leaving the organization to perform the actual research itself to find a resolution.

It’s important to remember that if the price is too good to be true, like all things in life, it probably is. As long as you engage your managed service providers as strategic partners and know exactly which services and solutions you’re looking for, you’ll get what you inspect, not what you expect.

More from Security Services

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

What People Get Wrong About Incident Responders

Today’s threat landscape is ever-evolving and skyrocketing in complexity as bad actors possess more advanced tactics, techniques and procedures (TTP) than ever before. To address these advanced threats, deploying an incident response team is critical for modern organizations. An incident response (IR) team is responsible for analyzing security systems and responding to potentially harmful threats. IR plays a critical role in ensuring security issues are resolved and performing damage control for any system breach, malware exposure, data loss or other…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Defending Education from Cyber Threat Attackers

Threat actors — and particularly ransomware attackers — have education institutions in their crosshairs. From Vice Society’s September attack on schools in California to Snach’s late October assault on schools in Wisconsin, threat actors are not holding back when it comes to preying on schools. K-12 schools are the most vulnerable within the education industry, with many having only small staffs and even smaller budgets for defending against attacks. In addition, attacks have trickle-down effects on school staff, students and…