In most cases, companies quickly learn that all of the cybersecurity products in the world aren’t enough by themselves to protect against increasingly sophisticated cyberattacks.
In addition to technology, it also takes expertise — which is in short supply, thanks to the current talent gap. That’s why organizations outsource much — if not all — of their cybersecurity responsibilities to managed service providers (MSPs).
This may seem like a no-brainer for all but the largest enterprise firms, but working with an MSP for cybersecurity isn’t a magic bullet. Instead, think of it more like a partnership where you work as one to ensure your organization’s cybersecurity. Like any partnership, it takes communication, a common goal, an understanding of what each party brings to the table and carefully coordinated efforts to ensure nothing falls through the cracks.
During my tenure in cybersecurity, I’ve seen what it takes to create an effective vendor-client relationship. And I’ve also learned what strains the relationship and makes it less than optimal. So, here is a list of the do’s and don’ts to keep in mind if you’re considering the MSP route to protect your business.
Do set expectations. No MSP is a mind reader. Set clear expectations for performance early, and draft this information in writing as a part of your service-level agreement.
Do ask questions. Who will you work with, and what will the rules of engagement be? Once you understand each other’s capabilities, you can incorporate the MSP’s team and processes into the cybersecurity defense of your organization.
Do establish responsibilities. Working with an MSP for security allows you to pass along some of the work, but it doesn’t mean you can hand off your accountability. That ultimately falls upon your organization. What’s more, one provider may be responsible for establishing endpoint protection but might not offer 24/7 monitoring, while another might be a resource for detection and response but leave things like patching and firewalls up to you. You need to understand ownership roles so you can build out the rest of your cybersecurity strategy appropriately.
Do be responsive. The difference between effective cybersecurity and a disastrous breach can be a matter of days, hours or even minutes. You need to trust your MSP’s cybersecurity experience and expertise and be prepared to incorporate its recommendations as quickly as possible.
Do understand their pricing structure. Some providers set their prices based on event volume, which can save your organization money when you don’t have a problem but can prove costly during an attack. Other providers charge an annual subscription that provides all-you-can-use services. This may cost more initially, but it will save you money if you experience frequent attacks. Once you understand your needs, you can find a provider with a pricing model that best fits your budget.
Do be proactive. Never let a problem fester. If an issue arises, reach out before your next scheduled check-in. This way the MSP can help resolve the problem before it becomes something larger.
Do plan for the future. While you may only have on-premise needs currently, will you need cybersecurity coverage in the cloud as you evolve your systems and increasingly leverage SaaS and IaaS applications? You need to make certain this won’t significantly impact your cybersecurity posture and coverage, as well as cause major upheaval to your budget plans.
Do think before you jump. The managed services industry has grown by leaps and bounds as new players rush in and traditional IT players look to offer their own solutions. As a result, there are a multitude of choices. These range from full-service to specialty support to vendors that focus on the specific needs of high-risk industries like healthcare or financial services.
Now let’s look at three pitfalls.
Don’t neglect your staff’s role in cybersecurity. Bottom line: You are accountable should something go wrong, so working with a service provider doesn’t mean your staff is off the hook. Besides, your IT team will still have ongoing cybersecurity responsibilities, and employees must remain vigilant against email scams, malicious downloads and other social attacks. You must continue to provide your people with cybersecurity training. That should never change.
Don’t go with a generalist. For a company already working with an IT MSP, it can be tempting to simply add cybersecurity services. But take it from me: Cybersecurity is complex, ever-evolving, and more than a full-time job. Most general IT providers simply won’t have the tools or in-house security analysts and engineers to give you the protection you require.
Don’t leave cybersecurity only up to IT. Security is as much the job of the CEO as it is the responsibility of the CIO. As your company balances where to invest its time, money and resources, you need to make sure everyone in your organization understands why a service provider is essential to keeping your data and systems safe.