October 03, 2021
People are increasingly using MSPs not just for their IT, but also for things like marketing and cybersecurity.
As far as cybersecurity is concerned, these service providers are referred to as MSSPs (managed security service providers).
Managed services provide millions of companies in the United States the crucial services they need to function in today’s business world.
Simply put, the needs of modern SMBs are far greater than they’ve ever been—whether it’s digital marketing campaigns, IT management and infrastructure, or cybersecurity measures; all of these are vital today.
The issue is that they are also extremely expensive to do in house.
It’s simply not feasible for most small and midsized organizations to hire an internal IT team, and internal marketing team, an internal cybersecurity team, and any other number of departments they’ve additionally have to fund.
So, instead they turn to MSPs to help fill in the gaps.
For those businesses that aren’t entirely familiar with how the managed services model works, they may want to clarify exactly what they should expect from a partnership from an MSP.
Not all MSPs are created equal, and not all will deliver what we would consider to be an acceptable arrangement in a partnership.
When it comes to managed cybersecurity, you should expect the following:
Every managed security service partnership should start with a proper, in-depth risk audit that examines the client’s business fully so that the provider can understand what solutions and practices need to implemented to keep the organization safe.
Be wary of businesses offering free risk audits—these are often not thorough and comprehensive enough to get a full understanding.
The risk audit should involve complete penetration testing and vulnerability scanning of your network and systems by security engineers.
They can then report to you on their findings and what you need going forward.
An MSSP should be able to offer a fully tailored cybersecurity tech stack that is comprised of solutions that are appropriate to your needs.
This should include perimeter security, endpoint protection, information security, authentication protocols, backup and disaster recovery, and network monitoring.
This is what is referred to as a layered approach to cybersecurity—businesses today should not be relying on just one or two security solutions and quality service providers will offer a comprehensive technology stack for their clients.
Once the tech stack has been implemented, a cybersecurity partner should not be “setting and forgetting”.
As a partner, it is now their responsibility to correctly and effectively monitor your network, ensuring threats are contained and that all systems are running as expected, immediately responding to irregularities if necessary.
The business should be assigned a virtual Chief Information Officer (vCIO) for this purpose.
They will be the point of contact and should be treating the client as though they were an employee, monitoring the network at all times and preventing malicious threats.
To do this, they will utilize the implemented cybersecurity solutions and proactively monitor the network, aggregating, indexing, and analyzing data in order to detect behavioral inconsistencies and protect IT infrastructure.
Additionally, the vCIO should also act as a technology consultant for the organization.
As with any other aspect of business technology, environments and organizations change rapidly, meaning companies need to have someone who’s got there finger on the pulse of where the business is with regards to their security tech.
As organizations grow, more employees are onboarded, meaning more devices; sometimes working arrangements with staff change; and other times the handling of new information prompt a need to be aware of compliance regulations.
There are many different factors which can mean a cybersecurity strategy needs to be updated and adjusted, and that’s where a business can expect their MSSP to step up with vCIO consultation services on an ongoing, long-term basis.
As with any digital transformation project, cybersecurity is complex and requires true commitment in a partnership.
Security strategies should be planned with a long-term goal and perspective in mind with partnership at the heart.
This means it’s incumbent on the service provider to take the initiative and play a key role in positioning themselves at the heart of your IT operations—as an extension of the company and not just an outsourced solution provider.
They will be responsible for testing, reporting, implementing, maintaining, and monitoring the solutions necessary to protect your organization, and as such there should be a strong emphasis on ensuring communication between both parties is strong and effective.
The point of contact—vCIO—should be consulting and maintaining a relationship with the partner on a basis that’s suitable for both; whether this is monthly, quarterly, or something else.
Forming this kind of consistency in reporting and consultation builds trust and helps both parties understand where they’re at and where they need to be for the security strategy to truly succeed and ensure it’s in the right place.
What kind of accreditation does your security partner have?
Who you choose as your business security partner is who you’re trusting to keep your most prized possession protected, and so making sure the vCIO you are given and the company they represent are qualified for the job is essential.
Consider factors like their Net Promoter Score (NPS) to get an understanding of how well they deal with their current client base and check to see what qualifications and certifications their staff have in working with the solutions they implement.
Some MSSPs will have a roster of seasoned cybersecurity veterans, while others will be little more than salespeople.
The cost structure is one of the key reasons SMBs choose to partner with service providers.
Traditionally, the break-fix model has been common in IT, whereby services are contracted when needed, usually billed by the hour.
This model is expensive and difficult to budget for.
Many service providers offer their services as an all-inclusive package.
This means that once a service agreement has been signed, there shouldn’t be any unexpected fees charged in addition to the monthly contract expense.
When partnering with an MSSP, make sure the contract suits your needs—most businesses and MSPs are favoring the fixed-fee model today because of its simplicity and attractiveness to SMBs.
Onboarding is an important part of any partnership with a service provider and should be handled properly.
Once the risk assessment has been conducted, the recommendations made, and the contract signed, there should be a timeline put in place for the implementation phase of the agreement.
This means that the strategy going forward for technology adoption is laid out clearly so that both parties have a clear understanding of mutual expectations.
Is what the provider is offering flexible and scalable?
As technology environments evolve, business needs evolve too, and this often means that expectations and strategies have to be altered down the line.
If for example, new solutions are needed for compliance needs that were not in the original agreement, the business needs to know that the MSSP offers the necessary flexibility to offer this new service.
Ensure that the service provider is comfortable being flexible in their approach to service agreements and that they offer scalability for when changes need to be made.
This is also where a quality vCIO will show their worth.
A cybersecurity strategy that needs updating should be spotted by the vCIO, who can then make the appropriate recommendations that can then be agreed upon and implemented as necessary, but a flexible and scalable service is necessary to achieve this.