Choosing a managed security provider is one of the most delicate decisions a company can make. Choose the right provider and you'll almost certainly improve your company's network security — the best managed security service providers have deep expertise and far more experience than most companies can hope to develop in-house. That's the number one reason companies choose to outsource security. Managing firewalls, intrusion detection systems, encryption, and DDoS protection are specialized services that are both necessary and best handled by experts.
But choosing the wrong MSSP could leave your company's assets open to substantial risk. Before choosing a managed security service provider, you should carefully consider your options, and keep these four key concerns uppermost in your mind.
It's easy enough to claim expertise, and many companies don't have the experience to assess the competence of a platform and its technical employees.
External certification can give organizations the reassurance they need. A competent and trustworthy managed security provider will be able to provide evidence of the security of their platform, particularly SSAE16-certified data centers that can help organizations achieve HIPAA, SOX, and PCI DSS compliance.
This might seem like a no-brainer, but the range of services a vendor is competent — or prepared — to offer can vary considerably. I advise that even if you only intend to deploy a limited selection of managed security services — a VPN, for example — you choose a vendor that offers a full range of services.
Once you're comfortable with a security platform, you may well decide to expand the scope of the security services you outsource — something that will go more smoothly if you have an existing relationship with the provider.
There's little benefit to having a security-hardened network if the vendor operates out of a data center with lax physical security. Reputable managed security vendors will happily discuss the specifics of the physical security implemented at their data centers.
Pay careful attention to the provision of biometric authentication for access to the data center floor, round-the-clock video and in-person monitoring, and the implementation of access records that record who had access to which hardware and when.
Security is a holistic process and failures anywhere within the system can pose an unacceptable risk to valuable assets and data. Employee screening is an essential component of a comprehensive approach to building secure systems. Companies that handle sensitive data are usually very careful about whom they employ, and they should expect no less from their vendors.
A managed security provider can offer companies a route to improved security — consider the capabilities of your provider carefully and you'll have a long and successful relationship.