Is Your Service Provider Performing Their Role?

By: Mark Repka – MegaplanIT Security Consultant  

Companies often have many complex inner workings and processes to achieve their product goals. In order to attain their objectives, it may be necessary to bring in outside service providers to assist. Outside service providers are not limited to payment processors or third-party co-locations but can entail any aspect of your environment. Examples include firewall management, key/database management, outsourced security functions, or a human resources platform for the keeping of onboarding records and documents. Any aspect of your environment may be outsourced due to a lack of technical expertise, time constraints, or increased productivity due to the service or product.  

To test the viability of a service provider you must first ask what services are they providing that you yourselves cannot do? Is it a complex task? How can you combine these needs into a single provider?  Many service providers have multiple offerings encompassing information security governance, product/code development, threat detection, vulnerability analysis, integrated SIEM, and database management to name a few. The cost of these services will increase as the complexity or specialization of the environment grow. You must also take into account the service provider themselves in risk management scenarios. Would your company fail if the service provider does not meet expectations? What would the business impact be in the case that your services experience an outage for 6-8 hours?  

Metrics must be defined to determine the service provider’s viability; in essence, how will they measure up? To determine the effectiveness of your service provider you must first implement a rating system across all third-party service providers. Common criteria would include but are not limited to availability, cost savings, and benefits. The cost-to-benefit analysis of the technical expertise provided may be attractive as technical training of personnel for a specific task may not be viable for your current business model. The time taken training employees on a small portion of your environment may not be a productive use of your time, instead, outsource the function to an expert. Implementing a low-maintenance managed environment may be more viable when a smaller project or startup forms as you need not waste resources, time, or specialized training for your staff.  

An often overlooked aspect of third-party service providers is the cost savings provided by retaining these companies. It may not be a feasible business model to have consistent staff on 24/7 for both service products or to perform security functions, and this is where managed services are used to provide staffing augmentation. This can be as simple as a centralized call center for customer support or a security operations center for support of your web servers and infrastructure. The cost savings for not having to staff a handful of employees during off-business hours will far outweigh the cost of operators during off-business hours. There are many benefits to outsourcing the labor to third-party providers as many of these companies are versed in the current work environment and have hands-on experience in their field. Solutions that may take hours for your team to solve could be solved in minutes by an appropriate professional. Combining the service of a professional with several needs will incur both cost savings and a single point of contact on which your business is reliant.  

Once you have selected a criterion for assessing your service providers, be sure to keep the feasibility assessment ongoing as assessing a service provider once is a poor metric as there is no history behind what tasks are being performed. You can also review statements of work (SOW) and service level agreements (SLA) to examine if the service provider is living up to their expectations. Once a service provider is selected, it is important to maintain a vigilant watch to ensure that they are performing their functions per the contract. To ensure that a service provider is performing a task as part of an agreed compliance framework, collect attestations of compliance periodically and maintain these records. The outsourcing of resources, manpower, or locations all needs to be reviewed and analyzed for sustainability to be competitive in today’s market. With proper due diligence, you can ensure that you are receiving 100% from your service providers and that they are performing their roles as defined.  

MegaplanIT can help with system logging, security, and monitoring through our partnerships with AlienVault, Cylance, CrowdStrike, and LogRhythm. In addition to software we offer a wide array of services including 24/7 SOC, Fully Managed SIEM, Penetration Testing Services, Experienced Consulting, and Security Testing. We are dedicated to providing the solution you need at a price you can afford. Implementing varying tiers of service offerings, it is impossible not to find an integrated solution that would fit your needs. We have both the experience and the technical expertise in a diverse range of deployments and industries including financial, healthcare, and industrial. Reach out today and find out what MegaplanIT can do for you.