Security is hard and requires constant vigilance and maintenance; there is no silver bullet. From experience, when pressed, most IT providers will acknowledge that they are in fact, not security companies. Security requires both a commitment and a clear explanation of responsibility, which is not typical.
To understand how your Managed Services Provider (MSPs) stacks up from a security standpoint, here are some levels, observations, and questions to identify what you may currently have.
Installs Security Technology
Most MSPs can meet this level of security. The security technology that they install is well-considered, rich in features, and highly functional. The question is, what output do you get? If there is no engaged profiling meeting, limited reporting, alerting is non-existent or a business engagement to determine how to best tune settings is not evident, your MSP functions at this level. This is not necessarily bad, but for the protection of your business, you must augment your MSP with a security provider.
Installs Security Technology and Enables Features
MSPs that are a notch better will bring expertise to the table to properly configure key security features. The engagement will be interactive, and the function of the baseline will be highly effective from a security perspective. This level of MSP is talented and a valuable partner, but will likely lack the ongoing reporting, will have limited alerting, and beyond the initial setup, will have a very simplified business engagement model. This model is typified by quarterly meetings and generic content is available for your experts to access. This model is well suited for a company with an internal security team that drives outcomes.
Installs Security Technology and Maintains it as a Business Partner
MSPs that are security partners to organizations will help select the best technology, conduct a session to interactively define and tune the security features, and explain carefully what they do NOT do. This is an important distinction evident in security organizations. Security is a very broad field, and the best companies are quick to establish the guardrails around responsibility.
What should be expected is regular engaged meetings to interactively review output, establish business engagement and incident response processes, and provide an ongoing partnership in security maintenance. This model is a very good fit for companies with limited security staff and a desire to have a more comprehensive approach to security.
A good security-focused MSP will also contribute its network of focused and more specialized solutions to enable a more comprehensive, solutions-based approach in your environment.