Managed Security Service Provider (MSSP)

One of the most important IT security capabilities to consider procuring for your company – is the services of an MSSP – or better known as a Managed Security Services Provider.

A managed security service provider (MSSP) is an IT service provider that delivers multiple security services – such as virus and spam blocking, intrusion detection, continuous monitoring, firewalls and response.  An MSSP manages security for an organization as either a monthly service fee or by the number of employees serviced.

The unique value in using an MSSP, is this provider takes the burden off you, the small business, in managing security system changes, new configurations, and keeping up with the latest security threats. Some MSSPs offer services for regulated industries such as health care and financial as well as provide compliance with GDPR.

Finding and selecting an MSSP is critical to ensure your company’s IT assets are continuously monitored for threats, vulnerabilities or malware, and that once an asset is compromised, you are notified and the provider has the ability to remedy the problem. We call these MSSPs — as MD&R ready or Managed Detection and Response. These MSSPs have the resources to detect and respond quickly to ensure your business is not compromised from the latest malware or other menacing threats.

As a NCSS member, you have access to our vetted MSSP/MD&R providers – that are affordable and easy to use. But before you choose, follow these five easy steps to select a provider:

Step 1: Select a Framework

The first step in defining your needs, is to select either a mandatory or voluntary compliance framework. Hopefully, by now you have some idea which framework to use, if not see our guide titled “IT Security Frameworks” under the Small Business/FACT Sheets tab on our website.

Some Industry specific/compliance regimes are:

  1. HIPPA
  2. NIST 800-171
  3. SOC 2 GDPR
  4. PCI DSS

Voluntary Frameworks to consider:

  1. NIST Cybersecurity Framework*
  2. ISACA Risk IT Framework
  3. ISO 27001
  4. COBIT
  5. NIST Risk Management Framework
  6. Carnegie Mellon CERT Resilience Management Model

*In all likelihood if your company picks the NIST Cybersecurity Framework, with PCI-DSS Compliance (if you take credit cards), you should be fine. If you are uncertain, just drop us an email and we’d be happy to guide you.

Step 2: Select your Capabilities

We have developed this matrix of capabilities to help you select the features you might need from an MSSP. If you have any difficulty in understanding what these capabilities might include, see our fact sheets under the tab – Small Business/FACTS, or through our weekly cyber tips. If you still need help, drop us a quick email. 

Features Must Have Nice to Have Added Plus – or use an alternative vendor
24/7/365 Security Operations Center
Continuous Monitoring of your critical assets
Incident Response
IT Asset Inventory
Change Detection
Compliance Monitoring
Compliance Reporting
Vulnerability Assessments
Vulnerability Remediation
Incident Detection/Reporting
Virus Prevention
Spam Blocking
Network Intrusion Detection System (IDS), Host IDS
Breach Notification/Reporting
Back-ups/Restoration Services

Step 3: Identify a Company Lead and Budget

Next step is to Identify who in your company will be the interface with the MSSP. This staff member will ultimately be your project manager – the key interface to select, acquire and transition to a MSSP. Concurrently, your organization should identify the resources to pay for the MSSP. There may be an initial cost of onboarding, then a monthly fee based upon how the MSSP does their pricing. Costs range from $3000 – $10,000/year, depending on the number of devices or users.

Step 4: Initial Assessment

Once you’ve selected a MSSP, the provider will complete an initial assessment to establish a baseline. This assessment will identify all assets connected to your infrastructure and identify any vulnerabilities or weaknesses in either the controls, software currency, open ports, lack of documentation, etc. The provider should provide you with a project plan with the critical or high deficiencies identified during the assessment. Your MSSP account representative should also help you to understand the deficiencies, prioritize the remediation and help with estimating time and costs. Resolving these issues may take 3-6 months to correct and may require changes in your network, training staff, or retooling of specific business processes. This task may or may not be provided in your service plan. If you are unsure, ask the vendor about this process.

Step 5: Operations and Sustainment

Once you are up and operational, expect to receive monthly reports. If you don’t understand something, ask. Your company should have an account manager – someone who is there to help your company stay safe and improve operations. Other sustainment activities your company should expect from your provider are:

  • Regular account meetings,
  • Help desk or ticket management,
  • User portal to assess reports and dashboards,
  • Advice on expanded services – such as backups, phishing training, and/or VPN.

NOTE: We do not derive any benefit from recommending these MSSP vendors. The listing is provided as a service to our members — to assist you in accessing a complex IT security market. These vendors have agreed to be part of the NCSS community and focus specifically on small business.

 If for some reason you are not satisfied with their service, please contact us and we will be happy to try to either resolve the issue or find another service.