In Chapter 18, I discussed the considerations SMBs and their security managers should consider when they select a managed service provider (MSP) or a managed security services provider (MSSP) for external technology and security services. However, there is also another view to consider, and that is the view of the MSP itself. It is this perspective that I find interesting because each potential SMB client is unique, with technology, processes, compliance, and data requirements that can range from easy-to-manage to extensive and complex. This chapter will be a discussion between myself and an MSP about various SMB risks and how they might manage them. I want this chapter to provide SMBs and their security managers with a window into how they may be evaluated for critical services when working with potential MSP partners. I am providing this resource to you, security manager, not only to help you understand how your company is evaluated, but to help you in your professional growth as a security executive. It is good to have multiple viewpoints on business risk. With this information you can help your company negotiate a compromise when there are issues with an MSP vendor, and as the senior security leader you will be dealing with issues.
As we begin, I want to state I am not currently nor have I ever managed an MSP; however, in my previous roles I have worked with and advised many of them. It’s that experience, plus my 20 years in technology and security, evaluating the risk exposure of my organization and their strategic business operations, that provide the insight for this chapter. Please note as we begin the issues that follow are not all-inclusive. They are just issues I have seen MSPs review when selecting new clients based on the client’s current technologies, the industries they compete in, and finally, their ongoing business practices. For each issue, I shall discuss what concerns me, and hopefully that dialogue can assist actual MSPs in making better-informed decisions, and SMBs in maturing their business practices.
Some potential risks I believe an MSP would screen for are as follows…