Authored by RSM LLP
The complexity of today’s cybersecurity framework isn’t up for debate. Organizations increasingly struggle to keep technology current, processes relevant, and security safeguards up to date.
It should come as no surprise, then, that many organizations are turning to managed security service providers (MSSPs) to deliver a more effective—and often more affordable—framework for reducing risk. But selecting the right service provider can prove challenging, as ambitious sales pitches and lofty promises often come up short.
Getting to a best-practice cybersecurity framework requires planning and due diligence. It’s critical to avoid common traps, mistakes and errors when outsourcing technology, tasks and oversight.
Here are six common stumbling points along with techniques your organization can use to ensure your cybersecurity program is up to par.
Mistake No. 1: Selecting a service provider that over-promises and under-delivers
Understanding the breadth and depth of today’s cyber risks is incredibly difficult. This includes identifying what specifically is creating a risk, how various groups within the enterprise intersect with risks, and what consequences could result. Unfortunately, many MSSPs lack the ability to properly assess and analyze a company’s risk framework. Instead, they rely on a cookie-cutter approach that fails to address the specific needs and nuances of the business.
Cut through the marketing claims and consider how each vendor is offering to solve your particular challenges. A best-in-class MSSP includes four essential pillars: knowledge, metrics, experience, and flexibility. The right vendor will be able to:
- Help your organization purge repetitive processes
- Eliminate excessive or duplicative systems
- Banish silos and gaps that generate risk
- Link risks and controls through metrics and KPIs
The end result should be a program and relationship that meet your organization’s specific needs.
Questions for prospective MSSPs
When selecting an MSSP, be sure you know that they are experienced, knowledgeable, and have a track record of delivering on expectations. Ask for these proof points when interviewing providers:
- What are their qualifications and credentials?
- How many clients do they have?
- Are their clients mostly small, middle market, or enterprise businesses?
- How many years of experience do they have?
- Do they have a list of clients you can speak with?
An important question: What is the full scope of your service and what is covered?
Mistake No. 2: Underestimating the need for agility, flexibility and scalability
The last few years have churned up a breathtaking number of cyberattacks and breaches. As things have become more complex, there has been an increase in potential risks—and costs: the typical data breach costs US $4.45 million, a 15% increase over the last years. What does this mean for middle-market firms? It’s essential to adopt a flexible framework that avoids lock-ins and dead-ends that can lead to higher costs, technical debt, and elevated risk exposure.
Look for a managed security services provider that can design a framework with an ultra-high level of agility, flexibility, and scalability. Ensure that the managed approach can adapt to your company as it grows and changes take place. The right cyber-monitoring tools in the hands of specialists who truly understand middle-market firms can offer superior protection.
An important question: How and why does your framework stand out and will it keep our company on the leading edge of risk management?
Mistake No. 3: Misjudging the importance of visibility and reporting
Today, organizations have tens of thousands of touchpoints on their networks, including users, devices, identities, and other assets. Securing these access points can span areas as diverse as threat intelligence, incident response, digital forensics, and remediation. However, business leaders too often rely on a mishmash of tools and applications that cobble together an incomplete picture of cybersecurity and business risk. The result is an inability to detect threats as they appear and a slower-than-acceptable response time to attacks.
Compounding the visibility problem is manual or outdated reporting tools that fail to bring vulnerabilities or problems to light. Without this critical component, the task of identifying and remediating issues becomes nearly insurmountable.
A best-in-class MSSP will offer one centralized dashboard that offers both granular and global views that can tie together risk components, delivering a transformative level of insight and information. As organizations migrate resources into the cloud and spread tools and applications across containers and microservices, broad and deep visibility into risks is paramount.
A robust solution can also generate the data that is essential for generating reports and analyzing information and trends. When one source of truth exists, all stakeholders can be assured of the veracity of both data and reports.
An important question: Do you offer a centralized dashboard? What level of reporting detail does it deliver?
Mistake No. 4: Turning to a service provider that lacks best-in-class technology
Technology serves as the foundation for any cybersecurity framework. Yet, tools and systems that were state of the art a couple of years ago are already outdated—even obsolete. This leads to enormous risk exposure because an organization’s business technology footprint extends to millions, and sometimes even billions, of events. Without proper controls, data can leak out and cost your organization both financially and reputationally.
MSSPs must react to today’s fast-changing business landscape with targeted precision. Work with a trusted provider that is committed to advanced digital technology and training for their team. Your MSSP should be able to explain their overall methodology as well as the specific tools and technology they employ so that you can fully understand the services they are promising to deliver.
An important question: How and why is your framework, including technology, effective? What proof points can you offer?
Mistake No. 5: Accepting subpar service and support
Business relationships aren’t defined by great sales pitches but by how a provider responds when questions come up or things go astray. The complexities of today’s cybersecurity environment guarantee that questions, issues, and new risks will arise on a regular basis, and the last thing a business needs is finger-pointing and attempts to deflect the problem.
An ideal MSSP is a trusted advisor who has your best interests in mind. The mutual goal should be to focus on maximizing protection while keeping costs and administrative overhead under control. As a result, top providers conduct ongoing analyses to improve performance and lower risk levels. When there’s a problem, a good MSSP will take responsibility and work with you to fix it.
What can a good MSSP do for your organization?
A good MSSP can solve problems that have been lingering in your organization and may also identify and resolve issues that you didn’t even know you had. Beyond that, a solid MSSP can:
- Help create a proactive culture by developing your staff
- Coach and mentor your in-house team
- Bring in specialists to help take your business to the next level
An important question: What is your commitment to support and what mechanisms do you have in place to back it up?
Mistake No. 6: Doing business with a vendor that lacks a road map and future vision
It’s time-consuming and expensive to switch vendors, strategies, technologies, and processes. No business wants to find itself faced with a service provider that lacks a clear vision and isn’t committed to keeping technology and processes up to date. In a managed security services environment, anything less than a mature, well-designed framework poses risks.
A best-in-class cybersecurity platform and service model weaves reporting, workflows, audits, and automation into one agile and flexible model. It should combine knowledge, metrics, experience, and flexibility into a central security strategy, and also deliver the data-driven insights you need for process improvement. There’s a pathway to progress now as well as a road map to the future.
An important question: What is your experience in this industry—and what skills do your teams have?
Call us at (307) 634-2151 or fill out the form below and we’ll contact you to discuss your specific situation.
This article was written by RSM US LLP and originally appeared on 2023-10-11.
2022 RSM US LLP. All rights reserved.
RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International. The RSM(tm) brandmark is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.
MHP, LLP is a proud member of RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.
Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise, and technical resources.
For more information on how the MHP, LLP can assist you, please contact us.