Denys Rudyi - Fotolia

Supercharging cyber security protection: Questions to ask when hiring a managed services provider

With information security concerns and challenges at an all-time high, and a global shortage of security professionals to address them, some enterprises are turning to managed security services for help. To ease the selection process, Dragana Vranic and Kim Cuthbert list some useful things to keep in mind when shopping for a provider

Cisco’s 2014 annual security report reveals that not only are new cyber threat alerts growing by 14% year over year, but CISOs are struggling to hire people with up-to-date security skills. The study shows there is a shortage of more than one million security professionals in the industry.

On top of that, the 2015 Society for Information Management IT trends study found security to be number two on the list of management concerns, up from seventh place a year ago.

“The sophistication of the technology and tactics used by online criminals – and their non-stop attempts to breach network security and steal data – have outstripped the ability of IT and security professionals to address threats,” according to Cisco’s security report. “Most organisations do not have the people or the systems to monitor their networks consistently and to determine how they are being infiltrated.”

But the lack of talent isn’t stopping organisations from fighting the boom in cyber security issues. Frost & Sullivan researchers say more North American enterprises than ever before are turning to security partners to protect against advanced persistent threats (APTs), estimating the security services market will grow from $1.81bn in 2013 to $3.25bn by 2018.

The decision process

Making the decision to involve outside help is a process in itself, which can defer the introduction of critically needed resources. There may be concerns about loss of control or questions as to how managed services fit into a cloud services model.

To help streamline the decision process, here are eight things to consider when shopping for a managed security provider.

1. Why hire a managed services provider?

Organisations often consider hiring a managed services provider (MSP) when they have a number of “pain points”. They either want to add capabilities they don’t already have, or they want to shift the burden of routine, operational work off their internal staff to free them for strategic work that adds more business value. As reflected in Cisco’s personnel shortage projection, it’s often the former.

Technology has become so complex, and changes so fast, that it can be challenging for an internal IT department with limited resources to keep up. An MSP can provide different levels of support to meet the requirements, saving an IT staff from the Herculean task of staying on top of the changes.

Then there is trouble-shooting, especially for higher-level, critical issues. Such trouble-shooting is often both urgent and time-consuming. It can be an “all hands on deck” activity. In the meantime, other important work falls to the side. An MSP can focus on trouble-shooting, freeing up internal staff while reporting to and communicating with them as needed to achieve prompt, appropriate resolution.

Also consider 24x7 coverage. In today’s global, online economy, there is no such thing as “normal business hours”. Many businesses need to be available all the time, either because they operated globally or because they service customers around the clock. Even more important, cyber threats are not a nine-to-five occurrence and are a growing concern. PwC’s 2015 Global information security survey shows the average financial loss associated with cyber security incidents in 2014 was $2.7m, a 34% increase over 2013. Quick response and proactive security must be available around the clock.

A good MSP will have sufficient resources to provide both remote management and monitoring and first call support services on a 24x7 basis. This can translate into handling all needs around the clock or supplementing the coverage of an internal staff when they’re not available.

2. How flexible are the services?

Managed services are usually provided at least 90% remotely, but over the course of a one- to three-year contract, some clients may need on-site services to help them grow, or even to install upgrades. Can the MSP provide those on-site services, or are they strictly remote?

3. Where will your data live?

When customers select an MSP, one of the most important criteria is where the data resides.

Some providers host all the customer’s data in their own datacentres. Some may be engaged with a cloud service provider, so it’s a hybrid combination of on-site and cloud-based. Other MSPs store all customer data on the customer’s premises.

Knowing how each provider operates is essential to finding the right fit.

4. What will the day-to-day service be like?

An MSP should feel like an extension of the business’s IT organisation. For example, while day-to-day monitoring and response will be managed by the MSP, the organisation will retain control over the policies and protocols followed. Although some organisations assume they’re just going to hand over certain services and be done with them, that’s not the case in a good client/MSP relationship.

A big part of making that happen is having the right tools, such as a portal that provides the client with immediate access to day-to-day communication with the MSP, project status updates, trouble tickets, and reports on service levels. There should also be an effective ticketing system that makes it easy to exchange information and provide updates, as well as a knowledge repository so both sides can share best practices, standard operating procedures, debug methods and other critical information.

5. What will a bad day be like?

Even more important than the day-to-day operations is the question of what the MSP will do in an emergency. How many resources can it allocate when you have a server, firewall or proxy down? How will they notify you when it happens? What is your existing process for responding to emergencies? How do you want an MSP to work with you to support that process?

6. How strong is its skills “bench”?

The better the team, the better the performance, and it starts with individual certifications. Look for an MSP with experts who are constantly training and learning, keeping up with the latest technologies you find most important. Certifications are not only a measure of knowledge; they’re also an indicator of a dedication to excellence.

Beyond individual certifications, check to see if the MSP itself is ISO certified. These kinds of certifications reflect procedures, discipline and continual improvement.

7. How strong are its relationships with manufacturers?

This is the final critical component. No matter how good an MSP is on its own, there will be times when it will need to involve the manufacturer of the technology being used to resolve certain issues.

A good indicator of its relationship with technology suppliers is its certification or partner status. No status, or a very low one, may indicate it doesn’t have the clout it will need to resolve issues promptly when crunch-time comes.

In vetting the MSP, check whether it has direct access to the manufacturers’ Level 3 engineers, which will bring in expert help to solve the most complex issues. They should also have access and experience with the manufacturers’ specialised support and tools, again helping to resolve issues faster and more completely. If you’re seeking help at that level, it’s no time for guesswork.

8. How is the culture, team and size?

Finally, ensure there is a cultural match between the organisation and the MSP. Today’s market is overflowing with managed service providers – telcos, boutiques, companies that specialise in certain areas, large systems integrators, overseas outsourcers and more. Not every MSP is a match for every organisation.

Size matters, but which is the right size for your organisation? Many business leaders feel more comfortable with the largest national providers. However, while a large MSP may be better at servicing a widely dispersed workforce, a small or mid-sized MSP may be better at focusing attention on your company and providing a more flexible, customised offering.

The key is to identify and prioritise needs and find the MSP that best matches your priorities. They may not be able to fulfil everything on a wish list, but you’ll want to be sure they can handle the more critical ones.

The last word

If there are at least a million fewer security professionals than needed, a managed service provider may be the right choice as cyber threat alerts grow by 14% year over year. Putting a part of an organisation’s security infrastructure in the hands of an MSP with up-to-date security skills could be the answer as CISOs struggle to find a security professional who fits.

Dragana Vranic is vice-president of managed services, Canada, at Forsythe.



Kimberley Cuthbert is manager of business development for managed services at Forsythe.


Read more on Managing IT and business issues