An increasingly popular alternative is hiring a managed security service provider (MSSP). What is it and how can it help keep your business secure?
Small to medium-sized businesses (SMBs) suffer from an increasing number of security breaches. They don’t make the news the way large ones like the recent Equifax breach do, but are a significant business risk.
The Problem of Recruiting Security Staff
Security is increasingly a significant part of a company’s budget. Large companies spend up to nine percent of their overall IT budget on security , and this number is likely to continue to increase.
According to CyberSeek, in 2017 there are 780,000 employed in cybersecurity positions in the US—with 350,000 positions unfilled. The number of empty positions is expected to grow significantly in the coming years. Further statistics on cybersecurity employment shortfalls can be found at CSO online.
SMBs must compete with large deep-pocketed companies for this pool of talent.
The MSSP Option
An increasingly popular alternative is hiring a managed security service provider (MSSP). Some companies try to extend their contract with the managed services provider (MSP) that already manages their desktop, antivirus software, backups, and other routine operations. But security encompasses a variety of specialties not generally found on the staff of an MSP.
MSSPs do two core things:
• Monitor, manage, and mitigate security events
• Manage devices
Under these simple headings are a wide range of services, including protecting against malware, responding to incidents, controlling the risks that come with bring your own device (BYOD), scanning for vulnerabilities, and mitigating distributed denial of service (DDoS) attacks.
Issues in Choosing an MSSP
Companies have long outsourcing functions that are not part of their core business. But a key core competency still has to be understanding and making good decisions about things that affect that business. Even if you don’t provide your own security services, you have to understand the business implications. Not knowing the essentials before considering MSSP offerings can lead to inadequate coverage, excess costs, and reportable breaches.
Various industries, such as healthcare, retail, or ecommerce, have their own specific security issues, and benefit from an MSSP that has deep experience in their area. The solution must fit with your business model. And the MSSP must be familiar with the jargon and acronyms specific to that industry when communicating with your own users.
Other Things an MSSP Can Bring to the Table
Many companies must be able to demonstrate a robust monitoring and response capability to regulators. SMBs may not have the requirement themselves, but they often work with or supply larger companies that do, and must demonstrate that same capability.
A good MSSP that operates in your industry should have a sense of what the current security issues are, and be ahead of events. If another client has been affected by a new vulnerability, they can notify their other clients of this new problem before it affects them too.
How to Make a Choice
Sit down, work out your requirements, and make them clear enough that you can tell if a vendor meets each one. This is a useful exercise in any event—how well do you understand what constitutes adequate computer security for your business?
On the other side, this will keep your understanding of your needs to a realistic level. Don’t pay for a level of service far beyond what is required. It can be hard for a vendor to refuse to provide you with services they know you won’t use. They need to meet payroll too.
It’s standard business jargon to call a relationship with a vendor a “partnership”—but with an MSSP, it’s actually true. The MSSP must always be in the loop on any changes, on either the technical or business sides, that may affect their operations. The relationship is never "set and forget".
Your own employees must continue to be educated on security issues. Many data breaches are the result of employees’ opening phishing emails, malicious employee behavior, or lost or stolen equipment. There is only so much an MSSP can do to mitigate the consequences of those.
All relationships have their bumps, and this one is particularly intimate. Have a dispute resolution process in place in case of disagreement.
Get Full Value From Your Investment
If this security benefits your customers, be ready to let them know about it. Many organizations provide value that they don’t let others know about, and IT security may seem resolutely unsexy...but it is increasingly important as a differentiator, particular in the wake of any high-profile data breach.