4 Best Practices for Working with MSSPs

There's no "set it and forget it" option, but using one adviser helps reduce security spending sprawl.

TJ Houske

July 5, 2023

5 Min Read
Best Practices


TJ Houske

For a whopping 83% of companies, it’s not if a data breach will happen, but when, according to IBM’s 2022 “Cost of a Data Breach” report. For this reason, managed security service providers (MSSPs) fill an increasingly important role for enterprises today. These third-party providers take on the difficult and time-consuming work of securing, monitoring and resolving incidents for businesses. Additionally, they ensure that compliance needs are met.

MSSP-Partner Best Practices

Choosing to partner with an MSSP is a critical decision, one not to be taken lightly. Following best practices when starting out with an MSSP partner can help to avoid common pitfalls and help you to optimize the relationship with your MSSP.

  • Know your service agreement: Right from the start, make sure to thoroughly review your service agreement with the MSSP to confirm that it meets your needs and expectations. Once you’ve done this, resist the “set it and forget it” mentality. Throughout the relationship revisit the agreement regularly to make sure it remains relevant. Scheduling regular reviews will ensure that it stays current with your priorities. This will yield the best results for your business over time. Don’t get caught in a situation where the support you need isn’t in the agreement.

  • Communicate often and directly: At the beginning of the relationship, establish communication frequency and responsibilities between your organization and the MSSP. Although you may have a main point of contact internally, remember that the role of the MSSP may relate to several functions across your organization. So, make sure that all appropriate stakeholders are communicating effectively with the MSSP. For example, include senior technical and leadership-level resources including the CISO, director of IT, CIO, CTO and director of network operations and engineering. Think of your MSSP as an extension of your team.

  • Draw the lines of responsibility: Confirm, verbally and in writing, what the MSSP will be responsible for and what will be managed in-house. This best practice cannot be overstated. Failing to do so can result in potentially devastating problems. Never assume what the MSSP will cover. Talking it through in detail will eliminate confusion around specific tasks or deliverables and, most important, ensure your company is covering all its security bases. Take, for example, asset management inventory and monitoring, or “you can’t protect what you can’t see.” Your MSSP partner should have a sound and documented process on onboarding, maintaining and offboarding assets into its monitoring and management ecosystem.

  • Integrate compliance auditing: Your MSSP partner should be on-point for all compliance auditing needs. Look for a firm that has strong experience in this space and has a range of compliance certifications in your industry. For example, if you’re an organization in the healthcare industry, confirm that your MSSP partner is HIPAA-certified and has experience with all current healthcare regulatory requirements. Ask to see its credentials and certification history, and make sure it has a roster of happy clients in your industry.

Invest in the Relationship

Investing time, attention and resources in developing a strong relationship with your MSSP will pay off in more ways than you may expect. For example, with skilled labor in short supply and costs rising, outsourcing your security services to the right MSSP has the potential to be the answer to both these challenges.

In fact, earlier this year Gartner predicted an imminent cybersecurity talent churn, which it described as a “significant threat” for security teams. The analyst firm believes that nearly half of cybersecurity leaders will change jobs by 2025. Businesses that partner with MSSPs can begin to fill the cybersecurity talent gap. With an MSSP team fulfilling your security and compliance needs, your internal team becomes less stretched and can devote its time to addressing other priorities.

The related matter of saving on costs is also at play. Remember that your MSSP team is flexible, which means you can be highly efficient with your budget. The outsourced, on-demand model is perfect for when your needs change or fluctuate. An MSSP is built to scale services up and down as needed, in real time. And having one trusted partner acting as an adviser and single point of contact helps your business to reduce sprawl in security spending. Also inherent with the outsourced model is subscription model pricing, which makes budget planning easy and more affordable.

The key to creating a highly productive and successful MSSP partnership, like any partnership or business relationship, requires your ongoing involvement. It’s well worth it. In a time when cybersecurity attacks and breaches are a daily threat, applying the best practices will help your organization gain a stronger security posture with fewer incidents, faster resolutions, and more efficient operations.

TJ Houske is senior vice president of technology, operations and engineering at Otava, where he leads the development of Otava’s hybrid and multicloud solutions. For nearly 30 years he has held senior and executive leadership roles in engineering, architecture and strategic business development. He holds a bachelor’s degree in organizational studies and business from Arizona State University and is completing an MBA with emphasis in marketing and strategic leadership as well as a master’s in finance from the University of Cincinnati. You may follow him on LinkedIn or @OtavaLLC on Twitter.

Read more about:

MSPsChannel Research
Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like