Insights and Resources

6 common mistakes companies make when selecting a managed security services provider

ARTICLE | October 11, 2023

Authored by RSM US LLP

The complexity of today’s cybersecurity framework isn’t up for debate. Organizations increasingly struggle to keep technology current, processes relevant, and security safeguards up to date.

It should come as no surprise, then, that many organizations are turning to managed security service providers (MSSPs) to deliver a more effective—and often more affordable—framework for reducing risk. But selecting the right service provider can prove challenging, as ambitious sales pitches and lofty promises often come up short.

Getting to a best-practice cybersecurity framework requires planning and due diligence. It’s critical to avoid common traps, mistakes and errors when outsourcing technology, tasks and oversight.

Here are six common stumbling points along with techniques your organization can use to ensure your cybersecurity program is up to par.

Mistake No. 1: Selecting a service provider that over-promises and under-delivers

Problem

Understanding the breadth and depth of today’s cyber risks is incredibly difficult. This includes identifying what specifically is creating a risk, how various groups within the enterprise intersect with risks, and what consequences could result. Unfortunately, many MSSPs lack the ability to properly assess and analyze a company’s risk framework. Instead, they rely on a cookie-cutter approach that fails to address the specific needs and nuances of the business.

Solution

Cut through the marketing claims and consider how each vendor is offering to solve your particular challenges. A best-in-class MSSP includes four essential pillars: knowledge, metrics, experience, and flexibility. The right vendor will be able to:

  • Help your organization purge repetitive processes
  • Eliminate excessive or duplicative systems
  • Banish silos and gaps that generate risk
  • Link risks and controls through metrics and KPIs

The end result should be a program and relationship that meet your organization’s specific needs.

Questions for prospective MSSPs

When selecting an MSSP, be sure you know that they are experienced, knowledgeable, and have a track record of delivering on expectations. Ask for these proof points when interviewing providers:

  • What are their qualifications and credentials?
  • How many clients do they have?
  • Are their clients mostly small, middle market, or enterprise businesses?
  • How many years of experience do they have?
  • Do they have a list of clients you can speak with?

An important question: What is the full scope of your service and what is covered?

Mistake No. 2: Underestimating the need for agility, flexibility and scalability

Problem

The last few years have churned up a breathtaking number of cyberattacks and breaches. As things have become more complex, there has been an increase in potential risks—and costs: the typical data breach costs US $4.45 million, a 15% increase over the last years.  What does this mean for middle-market firms? It’s essential to adopt a flexible framework that avoids lock-ins and dead-ends that can lead to higher costs, technical debt, and elevated risk exposure.

Solution

Look for a managed security services provider that can design a framework with an ultra-high level of agility, flexibility, and scalability. Ensure that the managed approach can adapt to your company as it grows and changes take place. The right cyber-monitoring tools in the hands of specialists who truly understand middle-market firms can offer superior protection.

An important question: How and why does your framework stand out and will it keep our company on the leading edge of risk management?

Mistake No. 3: Misjudging the importance of visibility and reporting

Problem

Today, organizations have tens of thousands of touchpoints on their networks, including users, devices, identities, and other assets. Securing these access points can span areas as diverse as threat intelligence, incident response, digital forensics, and remediation. However, business leaders too often rely on a mishmash of tools and applications that cobble together an incomplete picture of cybersecurity and business risk. The result is an inability to detect threats as they appear and a slower-than-acceptable response time to attacks.

Compounding the visibility problem is manual or outdated reporting tools that fail to bring vulnerabilities or problems to light. Without this critical component, the task of identifying and remediating issues becomes nearly insurmountable.

Solution

A best-in-class MSSP will offer one centralized dashboard that offers both granular and global views that can tie together risk components, delivering a transformative level of insight and information. As organizations migrate resources into the cloud and spread tools and applications across containers and microservices, broad and deep visibility into risks is paramount.

A robust solution can also generate the data that is essential for generating reports and analyzing information and trends. When one source of truth exists, all stakeholders can be assured of the veracity of both data and reports.

An important question: Do you offer a centralized dashboard? What level of reporting detail does it deliver?

Mistake No. 4: Turning to a service provider that lacks best-in-class technology

Problem

Technology serves as the foundation for any cybersecurity framework. Yet, tools and systems that were state of the art a couple of years ago are already outdated—even obsolete. This leads to enormous risk exposure because an organization’s business technology footprint extends to millions, and sometimes even billions, of events. Without proper controls, data can leak out and cost your organization both financially and reputationally.

Solution

MSSPs must react to today’s fast-changing business landscape with targeted precision. Work with a trusted provider that is committed to advanced digital technology and training for their team. Your MSSP should be able to explain their overall methodology as well as the specific tools and technology they employ so that you can fully understand the services they are promising to deliver.

An important question: How and why is your framework, including technology, effective? What proof points can you offer?

Mistake No. 5: Accepting subpar service and support

Problem

Business relationships aren’t defined by great sales pitches but by how a provider responds when questions come up or things go astray. The complexities of today’s cybersecurity environment guarantee that questions, issues, and new risks will arise on a regular basis, and the last thing a business needs is finger-pointing and attempts to deflect the problem.

Solution

An ideal MSSP is a trusted advisor who has your best interests in mind. The mutual goal should be to focus on maximizing protection while keeping costs and administrative overhead under control. As a result, top providers conduct ongoing analyses to improve performance and lower risk levels. When there’s a problem, a good MSSP will take responsibility and work with you to fix it.

What can a good MSSP do for your organization?

A good MSSP can solve problems that have been lingering in your organization and may also identify and resolve issues that you didn’t even know you had. Beyond that, a solid MSSP can:

  • Help create a proactive culture by developing your staff
  • Coach and mentor your in-house team
  • Bring in specialists to help take your business to the next level

An important question: What is your commitment to support and what mechanisms do you have in place to back it up?

Mistake No. 6: Doing business with a vendor that lacks a road map and future vision

Problem

It’s time-consuming and expensive to switch vendors, strategies, technologies, and processes. No business wants to find itself faced with a service provider that lacks a clear vision and isn’t committed to keeping technology and processes up to date. In a managed security services environment, anything less than a mature, well-designed framework poses risks.

Solution

A best-in-class cybersecurity platform and service model weaves reporting, workflows, audits, and automation into one agile and flexible model. It should combine knowledge, metrics, experience, and flexibility into a central security strategy, and also deliver the data-driven insights you need for process improvement. There’s a pathway to progress now as well as a road map to the future.

An important question: What is your experience in this industry—and what skills do your teams have?

Let's Talk!

Call us at +1 213.873.1700, email us at solutions@vasquezcpa.com or fill out the form below and we'll contact you to discuss your specific situation.

  • Topic Name:
  • Should be Empty:

Source: RSM US LLP.
Reprinted with permission from RSM US LLP.
© 2024 RSM US LLP. All rights reserved. https://rsmus.com/insights/services/risk-fraud-cybersecurity/common-mistakes-companies-make-choosing-managed-security-services.html

RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent assurance, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/about for more information regarding RSM US LLP and RSM International.