Here’s a checklist for selecting the right MSSP

MSSPAlert.com reported that “A chief technology officer (CTO) must answer several critical questions before choosing the right managed security services provider (MSSP) for your organization. Get it wrong and you could open the door to a threat actor, damage your operations, negatively impact income and business reputation, and introduce risks to employees’ ability to work.” The February 3, 205 article entitled “Selecting the Right MSSP: A Chief Technology Officer’s Checklist” (https://tinyurl.com/3apkchrj) included these comments:

 The first thing to consider is your unique security needs and evaluate any potential MSSP’s capabilities against those requirements. What are the prime factors involving technology and integration, service delivery and support, reputation and references, cost and value, compliance and legal considerations, and proof of concept and evaluations? 

You could get started by conducting a risk assessment to identify current vulnerabilities and critical security gaps. Of course, an MSSP or other cybersecurity vendor can help with this. Next, determine the services you feel you need, such as data, endpoint, identity protection, network monitoring, compliance support, etc. Then, finalize and document the budget and resources you have for cybersecurity. 

As you research and shortlist your MSSPs, use industry reports, analyst rankings, client references, and your own security reviews to identify reputable service providers, especially those with specializations in your industry. Additionally, it’s important to listen to the MSSPs and weigh what they feel you need. MSSPs will have insights you do not, and you should listen to their perspectives. 

A word of caution — and I can’t stress this strongly enough — if your MSSP does not emphasize recovery over resistance, their priorities are doing you a disservice. All the protection in the world does not guarantee that you will not be breached. However, recovery from a ransomware event can be assured — with the right data backup strategy and proper implementations. Therefore, assess the MSSPs against your own data protection and security standards. If the MSSP isn’t properly protecting its own data and assets, you shouldn’t expect it will effectively protect your data and assets. Don’t assume they have good standards and practices in place. And if you’re signing up for a “shared services model” where you have responsibilities for protections with them, make certain you understand who’s responsible for what. Never assume; rather, trust but verify! 

Good advice, what do you think?