Selecting the right managed security services provider (MSSP) is a critical decision for any organization. You are essentially trusting an outside vendor to manage and secure your most sensitive data and systems.  

Choosing the wrong MSSP can leave your organization vulnerable to cyber threats and data breaches. But finding the right partner can provide tremendous value by strengthening your security posture without straining limited internal resources.

Services and Expertise

1. What security services do you offer?

Make sure the MSSP can provide the services you require today and may need in the future. Common managed security services include:

– Security operations center (SOC) monitoring and response

– Threat detection and analytics 

– Vulnerability scanning and penetration testing

– Compliance audits and reporting

– Security device management (firewalls, endpoints)

– Incident response and forensics

– Awareness training and phishing simulations

– Policy and control guidance 

Ideally, you want an MSSP that offers a comprehensive portfolio of security services covering prevention, detection, and response. 

2. Does your expertise cover our industry?

An MSSP that specializes in your specific industry vertical will understand relevant threats, regulations, and best practices. For example, healthcare providers have different security and compliance needs than financial services firms.

Ask for case studies, sample reports, and credentials that are applicable to your industry. If the MSSP has little relevant experience, they may struggle to tailor their services and security controls appropriately.

3. How do you stay on top of the evolving threat landscape?

Cyber threats are constantly evolving, so you need an MSSP with processes to continually monitor the threat landscape and update detection and response capabilities. Ask how they track new attacks, adversary tactics, malware variants, vulnerability exploits, and other trends. 

Also understand their research capabilities. Do they have an in-house threat intelligence team? What threat intelligence feeds and sources do they leverage? How is new threat intelligence operationalized into their services?

4. Can we interview members of our service team?

Ask to meet (even if virtually) the key staff members who would be assigned to support your account. Evaluate their technical expertise, experience, qualifications, and communication skills.

Make sure the service team has adequate staffing and resources to meet your needs. Confirm they will provide dedicated points of contact for escalations and ongoing management of your relationship.

Detection and Response

5. How do you detect threats across on-prem and cloud environments? 

Today’s cyber threats are often multi-stage, multi-vector attacks that traverse on-premises and cloud environments. Ask how the MSSP correlates telemetry and detects threats across these heterogeneous environments. 

Make sure they can ingest logs and data from on-prem systems like firewalls and endpoints as well as cloud platforms like Microsoft 365 and AWS. Visibility gaps will blind them from key threats.

6. What threat intelligence feeds do you leverage?

Threat intelligence includes information about known indicators of compromise (IOCs), adversary infrastructure/tactics, newly discovered vulnerabilities, and more.

Ask how the MSSP consumes and leverages threat intelligence from both commercial and open-source feeds. This data should drive and enhance their detection and response capabilities.

7. How do you validate and investigate security alerts?

The MSSP’s SOC should have mature processes for triaging, validating, escalating, and investigating security alerts. Ask questions like:

– How do you minimize false positives and noise? 

– What is your playbook for investigating threats?

– When do you engage the client during an incident?

– How do you contain threats and stop lateral movement?

8. What incident response (IR) services do you offer?

Beyond initial alert validation and containment, you may require more extensive forensic investigation, remediation, and recovery after a major security incident. Many MSSPs offer add-on IR retainer services for this purpose.

Ask about the MSSP’s IR capabilities including forensic data collection, root cause analysis, threat eradication, recovery/restore of systems, and post-incident reporting.

9. Can you demonstrate threat detection and response?

Don’t just take the MSSP’s word when it comes to threat detection and response. Ask for a demonstration or example reports that exhibit their SOC’s capabilities. The more interactive, the better.

Can they walk you through a sample alert investigation? Show you dashboards and visibility into your environment? Demonstrate threat hunting exercises or recent incidents they’ve handled for clients? These demos build essential confidence.

Infrastructure and Technology

10. Do you have a 24/7 SOC with certified security analysts? 

A critical component of managed security services is the SOC (security operations center) that actively monitors your environment and responds to incidents. Verify that the MSSP has a 24/7 SOC with trained, experienced security analysts. 

Ask about analyst certification requirements. Relevant credentials include GIAC certs, CISSP, CISA, and more. Avoid MSSPs that outsource monitoring to non-specialists or overseas BPOs.

11. What technology do you use to deliver services?

The MSSP should utilize leading technologies and security platforms tailored to detect threats and enable rapid response. Ask questions like:

– What SIEM, log analysis, and endpoint detection tools power your SOC?

– How do you ingest and correlate data across cloud and on-prem environments?  

– What technologies do you use for threat hunting, incident investigation, and forensics?

– How do you minimize business impact of containment during response?

Evaluate whether their tech stack aligns to your environment and use cases. Beware excessive reliance on manual processes.

12. How do you ensure high availability and redundancy?

Ask how the MSSP architected their systems and infrastructure to maximize uptime and availability. Look for:

– Redundant SOC facilities in different geographic regions 

– Load-balanced, high-availability design for critical systems

– Proven disaster recovery and business continuity plans

– Redundant internet pipes, power, cooling in SOC facilities

They should be able to demonstrate an excellent track record of service availability. Downtime could cripple their ability to detect and respond to threats targeting your organization.

Compliance and Certifications   

13. Can you support our compliance needs?

MSSPs are often relied upon to help customers comply with regulations and audit requirements. Discuss your specific compliance obligations and confirm the MSSP can provide necessary services like:  

– Audit preparation and support 

– Compliance report generation and submission

– Security control implementation and testing

– Policy review and guidance

– Training to build compliance knowledge

Relevant domains include HIPAA, PCI DSS, SOX, FISMA, GDPR, and state data security regulations.

14. What security certifications do you hold? 

Ask what information security standards and frameworks the MSSP is certified against. Common certifications held by leading MSSPs include:

– ISO 27001 – Information security management  

– SSAE 18 SOC 2 – System and organization controls 

– HITRUST – Healthcare, finance sectors

– PCI DSS – Payment card industry data security

– FedRAMP – Federal risk and authorization program  

These validate the MSSP has implemented controls for security, availability, processing integrity, confidentiality, and privacy. 

15. Can we tour your SOC and headquarters?

If possible, request an on-site tour of the MSSP’s primary SOC, office locations, data centers, and other relevant facilities. This offers valuable insight into their operations, technologies, expertise, and security culture.

Look for modern SOC tools, motivated employees, clean/secure workspaces, and strict physical access controls. If an on-site tour isn’t feasible, ask for photos and virtual tour access.

Pricing and Contracts

16. How do you charge for services?  

MSSPs use a variety of pricing models, including:

– Per device – Endpoint, server, user

– Activity volume – Alerts, events, data ingest

– Bundled tiers – Good, better, best packages  

– A la carte – Pay per specific service used

– Flat monthly/annual fee  

Understand their pricing structure and where models could lead to unpredictable or excessive costs for your organization.

17. How are contracts structured?

Carefully review MSSP contract terms related to:

– Length – Monthly, 1-3 years typical

– Lock-in – Avoid overcommitting if uncertain  

– Termination – Reasonable notification periods

– Price change – Are increases capped?

– Scope creep – Change orders for new services

– SLAs – Covered services and uptime guarantees

– Data protection – Who owns monitoring data?

– Liability – Limitations favorable to vendor?

Engage legal counsel to negotiate final contracts. Don’t simply accept vendor terms and conditions.

References and Reputation 

18. Can you provide client references?

Ask for several client references that are similar to your organization in size, industry, and use of MSSP services. When contacting references, key questions to ask include:

– How long have you used this MSSP?

– What’s the true value they provide vs. cost?  

– How responsive are they to issues and requests?

– How knowledgeable and professional is the service team?

– How do they help meet your compliance obligations?

– What do you like most/least about the MSSP?

– Why did you choose this provider over alternatives?

19. Can we read case studies about clients? 

Reputable MSSPs should be able to showcase success stories about how they’ve helped protect clients against cyber threats. Look for detailed case studies and testimonials versus vague, high-level customer lists.

Ask for examples most pertinent to your industry and use cases. Published case studies indicate they’ve earned clients’ consent to share details of the engagements. 

20. Is your company financially stable?  

You don’t want to be left in the lurch if your MSSP goes out of business. Before signing a long-term agreement, validate vendors are on solid financial footing by asking questions like:

– How long have you been in business? 

– Are you currently profitable and cash flow positive? 

– Do you have sufficient capital to invest in growth?

– Can you provide a letter from your CFO attesting to stability?

– Who are your major investors?

– Are you privately held or PE/VC backed?  

Review recent financial statements if the MSSP will allow it.

Transition and Ongoing Support

21. How do you onboard new clients?

Understand the MSSP’s onboarding process to set client environments and deliver managed services. A poorly executed cutover could leave you vulnerable at the start.

Key aspects to discuss:

– Data integration plan – How/when is telemetry integrated?

– Hard cutover vs. parallel run?

– Initial vulnerability scan, policy review

– Onboarding documentation provided

– Dedicated technical resources

– Status meetings and timelines

– Acceptance criteria to exit onboarding

22. What support do you provide?  

Even with an MSSP, you still need support for inquiries about services, administration, billing, and technical issues. Find out: 

– Is phone, email, chat support available 24/7 or business hours only?   

– Are support tiers structured appropriately from L1 to engineers?

– What are first call resolution rates and response SLAs?

– Is there an online customer portal for self-service?

– How easy is it to engage an account manager when needed?

23. How do you ensure ongoing success?

The ideal MSSP will be a trusted advisor that continually optimizes security programs to align with evolving threats, technologies, and business needs. Explore options like:

– Quarterly service reviews 

– Monthly or quarterly reporting with roadmap recommendations

– Technology optimization assessments

– Proactive policy change recommendations

– Security awareness program review and updates

– Remediation of lingering vulnerabilities

– Regular penetration testing

This level of partnership exceeds basic monitoring and response.

Final Choice Considerations

– Narrow down providers to 2-3 finalists for in-depth evaluation

– Issue and evaluate RFPs, conduct PoCs if needed

– Validate capabilities, experience, and cultural fit through demos and interviews 

– Carefully weigh benefits versus costs and effort to switch

– Get buy-in from leadership and internal stakeholders

– Negotiate contract with legal guidance before signing

Conclusion

Choosing the right managed security services provider is an essential decision for protecting your organization against an increasingly dangerous threat landscape. Taking the time to thoroughly evaluate top contenders using these questions will help you select the ideal long-term partner to keep your data, systems, and operations secure.

With rigorous due diligence up front, you can confidently outsource security monitoring and response to an expert MSSP that becomes an invaluable extension of your team. Their 24/7 vigilance frees up scarce internal resources while providing access to enterprise-grade cybersecurity talent and technology your organization needs.

Just remember that not all MSSPs are created equal. Do your homework, scrutinize their capabilities, and validate references to avoid choosing an underperforming provider that damages rather than enhances your security posture. The extensive checklist provided here will ensure nothing falls through the cracks while vetting top candidates.