At the management level, careful consideration needs to be paid to the team's vision of the company. From the top down, is the MSSP focused on delivering Managed Security Services or are they using services as a way to increase their product sales? This is very important because it determines whether the provider will have the breadth of experience necessary to perform in a best-of-breed environment or if they only have experience with their company's own products. Vision also plays an important role depending on your objectives. Many MSSPs have a general, managed anything security vision. These providers are excellent for companies that do not have the capacity or inclination to handle security internally and are looking for a way to outsource the entire function. On the other end of the spectrum are providers that specialize in Threat Management and partner with internal security teams to enhance their organization's security posture. These providers focus their service offerings around providing the capabilities necessary to protect, detect and respond to threats before damage is done.

Process


The second category is the Managed Security Service Provider's processes. Processes facilitate the effective delivery of the provider's services. An important, but often neglected process is the ability to enable real-time service delivery visibility. An MSSP should adhere to an OPEN Service Delivery methodology. This methodology allows clients to see the status of their security and service delivery every second of every day. By adopting this methodology the MSSP needs to have the proper processes in place to show clients real-time information through a portal. Many providers will only post incidents after they have been analyzed. By not presenting all security events, the client will not gain enterprise-wide security visibility and will never know the true level of threats facing their organization. Companies should seek providers that present them with all the events and their status in real-time via the client portal.

Availability of the monitoring infrastructure is obviously of critical importance. However, it is surprising how many providers do not have processes in place to detect failures in their own monitoring systems. Even fewer providers conduct trending and behavioral analyses to detect abnormal traffic patterns. Without conducting these types of analyses, a provider will not be able to catch a sudden drop-off in their security monitoring visibility. A typical example of this is when a client makes an improper switch configuration change on a network where an intrusion detection system resides. Most providers will not be alerted to a sudden reduction in visibility. To them it would look like a mere slow-down in events. Only providers that conduct continuous analysis on behavioral patterns will realize that something is not right with the monitoring infrastructure. It is obviously very important to seek out providers who conduct this type of analysis to ensure service availability.