When it comes to securing an enterprise workforce, almost nothing is certain. Just when the pandemic appeared poised to settle down, the Delta variant has forced businesses to do an about-face and pause plans to reopen offices for in-person business. For many companies, it’s more of the same. If the organization didn’t rapidly deploy a remote work policy and roll out a way to mitigate the security risks associated with a hybrid workforce, it has likely faced some adversity over the last year.

As a result, more companies are looking to managed service providers (MSPs) to help them master their blind spots. It makes sense. MSPs can help lower a business’s overhead so it doesn’t need to spend a fortune on an ace crew of cybersecurity experts. They can also deliver greater scalability.

With many organizations seeking a managed security service, companies find that they don’t know how to effectively “shop” for one. Here are six steps an organization should consider for selecting an MSP:

  • Know the organization’s needs.

What does the organization need to better understand? If the company plans to hire an MSP, it’s important to know ahead of time what it wants to get out of the relationship. Does the company want to augment its existing security team coverage or solve a specific security challenge? Don’t get distracted by the latest and greatest vendors offering noisy bells and whistles; identify security gaps and consider what security solutions are must-haves in today’s advanced threat environment. Think about how the company wants to delegate the relationship with the MSP. In most scenarios, look to strike the right balance. Determine the responsibilities the company wants to off-load and move from there.

  • Account for service competencies.

Narrow down contenders by reviewing their competencies. First, focus on services that address existing security gaps; only then should the company select the best provider to deliver them – not the other way around. The organization will want to ensure that any MSP can align its core competencies with the company’s business needs. It makes sense to seek superior expertise for the needs the company requires. Once the team starts looking, it may find that one managed security service just might “check all the boxes” on the company’s security gaps list.

  • Research service packages and options.

The “one-size-fits-all” managed security option may not be appropriate for the company’s size or may overdeliver on the services it needs. While an MSP that takes this approach to IT services can deliver and help the company outsource everything from infrastructure to software, it’s important for the company to not only know its limits, but also where it excels. Identify security services that offer a range of package options to suit specific requirements. There’s a reason MSPs offer different service tiers; a plan that works for one organization may not for another.

  • Take reporting methods into account.

How does each managed security service demonstrate improved security postures over time? Can the company use metrics to convey its importance to senior management – to help educate the C-suite as well as justify the spend? While it’s important to have key performance indicators (KPIs), it’s also important to have a way to measure these data points. If reports are automated, make sure there’s a way to gain insight from the information. It’s a two-way street. For MSPs, generating a client report can foster transparency and trust and help demonstrate their value to the client, too.

  • Ask for references.

As with any big shopping decision, trusted referrals are important. Top executives wouldn’t buy a new car or a boat without doing a little research beforehand. Whether the service was recommended or not, ask for a list of references from each service. Make sure those references include companies around the same size, with similar security priorities and, ideally, are in the same market sector. Those references should provide the team with insight into their overall experience with the MSP without getting too bogged down in the details.

  • Don’t skimp.

How valuable is the company’s data worth? If it’s intellectual property or a trade secret that’s central to the business, it’s often impossible to put a dollar figure on it. When selecting an MSP, don’t forget it’s a decision on how best to protect the company’s most valuable corporate assets, so remember the saying, “you get what you pay for.” Know that companies want the MSP to help mitigate risk. If it chooses the low bidder without fully vetting the MSP and they fail to deliver, chances are the business will live to regret it.

Adam Burns, manager of cybersecurity analysts, Digital Guardian