Some context: I rarely blog about information security because it’s outside my core expertise in digital transformation. It’s hard to drive transformation and also have a risk and security mindset, and it’s extraordinarily time-consuming to keep up with the latest security threats.

That said, I have written several articles for InfoWorld on DevOps and security, including six security risks in software development and how to address them, and how to bring security into agile development and CI/CD. I have also spoken about technologies for MFA, immutable backups, and data security.

So, I research, learn, and write about security, but I am not a security expert. I review security from a transformational perspective because incidents can have significant business impacts. Mostly, I ask questions when reviewing security threats, technologies, and best practices.

SMBs can’t DIY security and need a partner

As a full-time CIO, one of my first steps was to seek outside help to evaluate our risks and select security partners. My approach was to have an outside virtual CISO, at least one security services partner, and one direct report responsible for operations and security.

Security is not a core practice at StarCIO, the digital transformation leadership company I founded, but we’re almost always tripping up on security gaps and evaluating practices and technologies to improve our clients’ security postures. We’ve seen emails and passwords stored in openly accessible network drives, cloud environments that the DevOps team didn’t lock down properly, exposed PII information, backups that didn’t have sufficient retention settings, and many other issues.

Finding a managed security service provider should be a top objective of every SMBs priorities.

There are just too many security risks and priorities for SMBs to manage independently, even when there is some in-house security expertise.

Jim Broome, president and CTO of DirectDefense agrees. “If there is one takeaway for SMBs in 2023, it should be that investing in an MSSP assures greater security while lessening the drag on resources to staff an internal SOC effectively,” he says.

Should an SMB partner with an MSSP, SIEM, SOAR, MDR, XDR, or EDR

One of the first challenges SMBs face is getting security help deciphering all the jargon, acronyms, and codewords tied to security practices and technologies. An MSSP, a Managed Security Services Provider, is a third party offering one or more security assessment, protection, and remediation services. And a SOC is a Security Operations Center, often a 24×7 group that reviews security alerts and incidents and manages their remediations.

I suspect many readers of this blog probably know what an MSSP and SOC are, but there’s a good chance your business colleagues don’t. Now IMHO (in my humble opinion), finding an MSSP is the number one priority for SMBs, but there’s a slew of jargon that business and technical leaders will run into when searching and evaluating partners. Do you need an MSSP, an EDR, an MDR, an XDR, or a combination of these services? What are SOAR and SIEM, and are these part of or separate security solutions?

“The fancy word that MSSPs used nowadays is MDR or XDR,” says Faisal Bhutto, SVP of cloud and cybersecurity at Calian.

Dig deeper into these acronyms, and you’ll cover even more terminology and methodology. It’s frustrating.

Bhutto explains that some security services and service providers may only cover part of the vulnerabilities. “It makes you feel like you have everything you need to be covered, but in reality, all [MDR and XDR} do is look at infrastructure and endpoints,  which accounts for 50-55% of the attacks we see,” he says. “A fully established MSSP will have network, endpoint, identity, scanning, firewall, infrastructure, and software protection.”

The simple translation is that many things can go wrong in security, and you can’t just lock the doors to keep intruders out. You have to consider the whole house and where there are security vulnerabilities.

So the top security priority for every SMB is to find an MSSP that provides the security services required for the business operation.

Why most SMBs need a virtual CISO

And how should an SMB assess what’s required? Most SMBs should have a contract virtual CISO and undergo a security assessment to help answer these questions. The risks and operational environment should dictate the type of MSSP and what services are needed at what priority.

I may have to cover my thoughts on virtual CISOs in another article. Let’s just say some are really good at learning, explaining, advising, prioritizing, and executing. Others love standing on the soapbox and declaring a long list of security priorities and things you’re doing wrong. If they can’t explain the MSSP jargon, then that’s a problem.

Here’s how CrowdStrike explains EDR versus MDR versus XDR. Here are other writeups from Forbes, VentureBeat, and Infosecurity. Other service providers’ definitions include Acronis, Bitlyft, Cynet, Check Point, Clearnetwork, DirectDefense, Field Effect, Reliaquest, Secureworks, Splunk, and Sysdig, among others. If that doesn’t make your head spin, check out all the vendors listed in Gartner’s reviews for EDR, MDR, SIEM, SOAR, and their associated Magic Quadrants.

How should SMBs evaluate MSSPs and select the right solution

It’s no easy task to research your way through the solution types, technologies, and solution providers. The key is to have an efficient selection process and identify which providers focus on the business’s greatest risk areas.

“SMBs need to look for an MSSP that offers a variety of skill sets and talent with deep expertise,” says Yana Vaysman, head of managed services practice at Avionos. “Providers must offer simple, easily digestible solutions with a dedicated, responsive point person. Your MSSP should be a partner who is as fully immersed in your business as you are, understand your needs and priorities, and can act as a true extension of your team.”

Broome adds, “When evaluating MSSPs, observe whether vendors provide an out-of-the-box approach versus a sterile one when reviewing the service level agreement (SLA). At the bare minimum, SLAs should clearly define the time of acknowledgment of an alert, the time to review an alert, the time for the client to acknowledge the alert, and the time to resolution, but above all else, it should clearly outline the customer’s infrastructure realities, how incidents are handled and escalated through your organization, and how your MSSP will deliver on those unique requirements.”

Bhutto suggests, “Always ask the MSSP, what happens when you get attacked? Is it that they will inform you and let your figure it out, or are they a true partner who will help you with incident response and recovery?”

In summary, these are really good starting points from Vaysman, Broome, and Bhutto: (i) find a partner who learns your business, (ii) review the MSSP’s SLAs and incident management playbook, and (iii) understand their remediation and communication procedures.

If you’re lost, contact me, and I’ll share my five questions to ask an MSSP.