CIO Decisions - Tips for choosing a Managed Security Services Provider (MSSP)

Article by Rishikesh Kamat

According to research and advisory firm Gartner Inc., at most companies, the staff responsible for IT security functions is also responsible for other activities and spends most of its time on non-security projects. For any resource-constrained organization, the added responsibility of managing security is often just too taxing. Gartner has concluded that in-house teams struggle to understand and defend against the latest security threats because this requires constant system monitoring – something that few businesses can afford.

For those IT staffs that take on the task, the challenges are daunting. After all, this normally entails formulating a security policy and implementing firewall, intrusion detection, virus detection, and other security technologies. But even after taking these steps, the challenge remains of how to manage the security effort. Security, after all, isn’t static, and enterprises must be prepared to proactively monitor, maintain, and upgrade their network protection.

The bottom line: maintaining the necessary vigilance in these days of “zero-day” attacks requires significant investments in staff, IT systems, and training.

The alternative is for enterprises to outsource the management and monitoring of their security to a Managed Security Service Provider (MSSP). An MSSP can combine advanced technology with expert human analysis, enabling an enterprise to cost-effectively strengthen its security posture. An MSSP can also provide a level of technology and expertise that ensures rapid response to real threats or “defense in depth”.

Increasingly, enterprises are recognizing the importance of “defense in depth.” This involves a comprehensive approach to securing critical assets, networks, and information systems while implementing robust defenses against hackers, viruses, and other online threats. Defense in depth recognizes that today’s environment is one increasingly beset by so-called blended threats that dynamically target the vulnerabilities of isolated security products. As a result, companies must adopt a deep, integrated strategy that addresses security at all tiers: gateway, server, and client. It is precisely this kind of strategy that an MSSP can help enterprises execute.

So how should an enterprise go about choosing an MSSP? The following criteria should be considered:


Entrusting sensitive corporate data to a third party is not a decision to be taken lightly. When partnering with an MSSP, invest the time and resources to ensure that the service is addressing your organization’s most critical needs. As a result, special emphasis must be placed on choosing a partner that has a proven track record of delivering quality security services to a broad range of industry sectors over a long period of time.

Real-time analysis and response

An MSSP must have the ability to accurately correlate, analyze, and interpret large volumes of network security in real time. It must be able to separate real security threats from a spate of “false positives.”

State-of-the-art facilities

An MSSP should have multiple security operations centers, or SOCs, that run 24×7x365. Having two or more SOCs allows for cross-monitoring, ensuring constant compliance with security standards. They can also provide backup in times of disaster.

Global intelligence

An MSSP should have security experts positioned to monitor and analyze threat data from security vendors and customers around the world. This global intelligence enables an MSSP to issue real-time alerts and recommend actions to be taken in a timely fashion.

Annual revenues

What is the prospective MSSP’s financial status? For publicly traded companies, Gartner estimates that annual run rates of more than $10 million (convert this to INR) per year in managed security services contracts indicate a sufficient base of revenue to support growth and enhancement of services.

Management experience

For leading MSSPs, management experience will include backgrounds in military, security vendors and government.

Breadth of services

This key consideration indicates an MSSP’s ability to meet the security management needs of a wide variety of companies. It includes real-time monitoring and management of firewalls, intrusion detection systems, virtual private networks, and other security products.

Security management processes

An MSSP should be able to provide documented standards and policies for handling typical and atypical operations and threats. An MSSP should offer a variety of attack alert notification methods to allow customers’ staff the ability to mitigate risk in real time.

Vendor neutrality

An MSSP should employ security specialists with certified expertise across a broad range of security products from a variety of security providers. This allows a company the freedom to select best-of-breed solutions.


While trust is one of the most important factors in selecting an MSSP, the vendor must have facilities, processes, and procedures in place that are validated and certified by a third-party auditor.


Reports provided by MSSPs should be detailed enough to support decisions to enhance security efforts and to determine the cost-effectiveness of the managed services. Thorough reports will include information gleaned from the managed devices, recommended responses, any changes the MSSP made to the devices, and information about the latest threats. In addition, enterprises are increasingly reacting to legislation that will entail stringent compliance reviews. An MSSP should therefore be in a position to consolidate and analyze security log data.

All organizations can benefit from the continuous management and monitoring of their security operations. In this regard, an MSSP can help develop a company-wide security policy that sets appropriate access control rules governing all employees. This is essential because it recognizes that the majority of security breaches come from within. (Most MSSP contracts include monitoring of all security-related activities on the internal network.) Before signing on with an MSSP, make sure all employees are aware of the corporate security policy and what the MSSP is contracted to do.


Managed security services can remove the volatility associated with IT staffing and the need to respond to unpredictable network threats, allowing enterprises to better manage their day-to-day business requirements, resources, and costs. This is especially important today as threats increase in severity and complexity. Enterprises that are seriously considering outsourcing their security should know that this can be a smart business decision, as well as one that assists them as they face new reporting requirements.