Tips for an SMB Evaluating MSSPs / security services

Walk in to any SMB and ask them who is responsible for security at their organization.  They will either point to the guy with the firewall or the security guard roaming the parking lot.  It is more than that, ultimately it is the Senior Management.  They don’t know every legal nook and cranny so they hire an attorney, they don’t know every IRS trick so they hire a CPA.  They don’t know security so hire a 3^rd party evaluator a Virtual Chief Security Officer.   The SMB has the IT mentality which does not work for security, the law, or financials.  You would never call the IRS and ask them the best way to save money would you?  Security is about protecting assets.  To the Janitor those assets are Keys, to HR they are personal records both written and electronic, to finance they are the books.  The biggest risk and concern to the SMB is thinking an MSSP is the end all be all and will make you secure.  You still have to be concerned with physical and administrative controls.  Having a third party evaluate your needs and help select a vendor is the best route.  If you’re getting your needs evaluated from the person selling you the service you are in serious trouble.  Never have the Fox build the Hen House then Guard it.  3^rd party evaluation will be the best money you ever spent.  Often times a 3^rd party evaluator will end up saving you money. 

Define the Drivers for MSSP

·         Does the MSSP meet ALL of the regulations:

o    Whether the SMB is trying to reduce risk, must comply with a regulation (PCI, GLBA, HIPAA) or have a security related contractual obligation with a customer.  Know the requirements before you start shopping a product.

·         If you have Information Security Policies ensure the MSSP can comply with those policies.

·         Know the GAPS in the products to the regulations.

Document Roles and Responsibilities:

If a breach does occur and a lawsuits happens, contracts become evidence.  It is important everything is clear in the beginning:

·         Who is responsible for what documented up front will save you in a breach situation and eliminates finger pointing later

·         Request the Vendor to clearly define the services they will be performing in the signed contract.  (Example Not just: Monitoring $1500 per month)

·         Request SLA’s be put in place and responsibility for a breach

·         Assign an Executive Management Resource assigned to oversee the project.  If a breach occurs the SMB will be sued not the MSSP.  Executive Management has ultimate responsibility for the company and is the only one who can make risk decisions.

Security in the Small to midsized businesses is can be tricky.  You don’t have to be an expert but get the advice of an expert.