• Leverage MSSPs where it makes sense, but do your due diligence

    26 Aug 2025

    It seems that more and more businesses are leveraging managed security service providers (MSSPs) to help with ongoing security improvements. I think this is a positive sign that both IT professionals and business leaders are realizing that they can’t do it all in terms of security. There’s no shame in that game if outsourcing managed security services is done for the right reasons. No doubt, some businesses wish to engage with an MSSPs for risk deference, i.e. so they can bring these vendors into the downstream liability discussion when incidents and breaches occur. Or, worse, just to check a box that those aspects of security are being handled. Whatever the case, if you choose to bring a MSSP into the discussion and integrate their services with your security program, there’s a lot to be gained. You just must make sure that you’re asking the right questions and fully understand what you’re getting into.

    Talk is cheap, especially when security vendor marketers and salespeople are clamoring for attention. Don’t go into this blindly. Simply engaging with an organization that promises this or that security service will not automatically translate into the visibility, oversight, and ultimate control that you might be seeking/needing. There are a lot of MSSPs out there. Many of them started as more generalists in networking that subsequently added on security services such as managed firewalls, SIEM, and patching. Other MSSPs were security specialists from the get-go and they tend to be super sharp on the side of endpoint oversight as well as incident analysis and response. There’s no wrong choice, but you must do your homework in advance.

    Going beyond specific service offerings, here are some questions you need to ask prospective MSSPs:

    • How do you do things differently?
    • Do you partner will outside security consultants who can provide further expertise and insight as needed, perhaps even through independent vulnerability and penetration testing.
    • What tools you use? Why did you choose them? Are they the best option for the tasks at hand?
    • How do I know that your staff are product experts and security experts and will know what to do and what to look for? What presentations have they given? What articles and books have they written?
    • How will you go about integrating your security solutions with our environment? Do we need to perform a security assessment first (surprisingly many organizations haven’t!)? Is that something that you can do for us? If the latter, will it be more of a generic network assessment, or will it actually look at our security vulnerabilities and risks so we can better understand where our weak spots are?
    • What reference accounts do you have in our industry? Can you provide specific references or testimonials? And, call (don’t email) these references to get their take to see what they might be willing to share that you’d never know about otherwise.
    • How will you measure our security and your results over time?
    • Will we have a dedicated contact person? Can we contact this person (or someone else in your SOC or on your engineering team) if we are the first ones to suspect a security event?

    I love it when organizations outsource the parts of their security program that they’re not prepared to take on. There’s an MSSP vendor out there that’s likely able and willing to make this happen for you. You may already have your mind made up in terms of going in that direction. Or, perhaps you need to get a better feel for how such a vendor could help you out and what it’s going to cost. The important thing is to do something.

    Security events are quite likely happening right under your nose and you’ll never know about them unless and until you discover them. Or worse, someone else discovers them for you. System logging/monitoring/alerting and endpoint management are such critical elements for minimizing business risks. Combined with ancillary oversight and maintenance services, these MSSP solutions can help you bring your security initiatives full circle. Just know that talk is cheap. Just because you get a good feeling from your MSSP’s website, sales rep, or systems engineer, that doesn’t mean you should blindly hand over your day-to-day security to them.

    One final caveat: you must get started now. The bad guys are already hard at work.

Resources

Client Testimonials

“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.

His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”

(IT managed services firm)
Read More

 

I’ve written/co-written 12 books on information security including:

 

Tags

AI appsec basics books Career Networking careers censorship cervical instability CIO CISSP cities coronavirus covid-19 cybersecurity data breaches eagle syndrome hacking Hacking For Dummies health helmet communications incident response information risk keynote speaker leadership NCAA football networking outsourcing passwords policy enforcement Power Four rare diseases resilience Russian hacking security security leadership security speaker social engineering speaking engagements sql injection tethered spinal cord time management underimplemented vulnerability and penetration testing web security zero-based thinking

© Copyright 2001-present, Principle Logic, LLC - All Rights Reserved.