Security Experts:

5 Things IT Should Ask Managed Security Providers

Over the past five years of running a managed security service offering, I’ve received no shortage of questions and requests from customers. They run the gamut from the completely outlandish to questions that have legitimately influenced change. Regardless of the question, it’s important for managed security providers to listen to their customers and accept feedback, whether it’s positive or negative. 

While it’d be impossible to dig into all of the requests I’ve received over the years, here are some of the types of requests we’ve received that may make sense for you to ask your own provider.  

1. Can you generate a monthly report on metrics that measures the value of your service? 

Metrics are important. Pretty graphs and pie charts are helpful to bring to management to demonstrate the return on investment (ROI) they’re receiving, but determining how to measure value can be quite different (and difficult) from one customer to the next. Service offerings should be able to provide statistics on the number of high-fidelity cases raised, mean-time-to-detection (MTTD) data, and possible mean-time-to-remediation (MTTR) data, depending on the deliverables. Having the ability to either generate these types of reports yourself or requesting the managed service to do so will help drive the maturity of your controls and should let you see the value you’re receiving from the offering. 

2. How can our teams work more closely together during a security incident? 

I personally love getting this question. Your managed service should feel like an extension of your own team. Working closely during incidents or even responding to specific security alerts can form a stronger bond between both entities. Learning from experienced professionals can also help improve the skill set of your own organization. Any time we have the opportunity to train a customer on a specific competency – something that can make them more independent and successful – we take it. 

3. Why didn’t you detect the malware we executed on our lab device? 

Let’s be honest with this one: it’s impossible to catch everything. You could have all the right security solutions and monitoring in place but still something leaks through a crack. Managed security providers do need to be on the top of their game at all times though; that’s what you pay them for. There may be instances where they miss something, but it’s critical to bring this up to them so that they can close any gaps in process or detection rules to improve the service. 

4. Based on the level of threat activity you’ve observed in our environment, what security recommendations do you have for us? 

It’s one thing to provide a managed detection and response service to a customer. To offer feedback on how a customer can improve their internal controls can be a game changer though. Managed service organizations have a good view into your security posture, including how often threats get in and through which vectors they arrive. If patterns are observed like spikes in phishing-related compromises, then maybe it’s time to roll out a more formal security awareness campaign to your employees or additional layers of control at your email gateway. These insights can be very rewarding and asking these types of questions are a good idea. 

5. It’s 2 a.m. and we have an incident; can you join our telephone bridge to discuss? 

Service-level agreements, or SLAs, are crucial to understand. With managed service offerings, they’re typically available 24/7, but not all are. When an incident does occur, you should know what level of support is going to be offered during off hours for your time zone. Maybe only an analyst is available to discuss and not the incident manager for the team. Drawing up these expectations ahead of time is highly recommended. 

These are five questions that have come up over the years that have helped enhance our service and engage customers with a value-add experience. Managed services should be wanting and willing to improve and adapt. Don’t get me wrong, it’s important to also have reasonable expectations, but if there are opportunities to improve then that’s a benefit for both parties.  

view counter
Tim Bandos is the Chief Information Security Officer & VP of Managed Security Services at Digital Guardian with more than 15 years of experience in information technology and securing mission-critical data. Tim joined Digital Guardian in 2016 as VP of Cybersecurity and successfully built the company’s Managed Detection & Response program from ground up. Prior to Digital Guardian, Tim ran a global security team for Dupont company where he was responsible for overseeing internal controls, incident response and threat intelligence.