Seeking non-vendors CISOs to discuss how they vet MSPs/MSSPs Seeking CISOs (non-vendors) willing to share insights on how they vet MSPs/MSSPs before engagement — frameworks, criteria and best practices.

Good Day, I review security certifications, compliance records, past incidents, as well as incident response mechanisms when screening MSPs or MSSPs. In addition, I look into how open they are regarding their reports and whether they are in accordance with the organization's internal standards. This way, good expectations are established from the beginning, improving the relationship and minimizing risks over time. If you decide to use this quote, I'd love to stay connected! Feel free to reach me at spencergarret_fernandez@seoechelon.com

When looking to vet MSPs and MSSPs, I apply similar principles that I would with hiring an internal security leader — TRUST BUT VERIFY AT EVERY LAYER. Besides looking for the standard certifications like SOC 2 Type II or ISO 27001, I also ask for evidence of how they're operationalizing security day to day: incident response logs (with sensitive info redacted), onboarding/offboarding workflows, and how they handle privileged access. I also ask for an example of their reporting dashboards to help gauge whether or not they bring solid visibility into threat activity and operations. This gives me confidence they won't hand me a 100-page PDF each month, good luck to us both, but instead will partner with me to diminish risk in real time. One of the things I do is to MAP THEM AGAINST MY RISK REGISTER and that's not a general NIST or CIS type framework. For example, if I know my number-one risk is defending client data in multiple cloud environments, I want to see how they apply MFA across every endpoint, validate patch compliance and contain a compromised account fast. This alignment has protected customers from expensive holes in their security and compliance approaches as we qualify the MSP's risk appetite against that of the business. It's a more resource-intensive vetting process — and it removes providers who can't get specific about results.

Happy to talk more about how we vet vendors at our firm. We actually re-evaluate our MSP partner every year. It's not about the cost, it's because our job is to constantly ask: are we still aligned with what's best for our clients, our team, and the future of our firm? When we're considering an MSP, we make sure we involve stakeholders from operations, HR, finance, marketing, etc. Everyone needs to feel confident that this partner understands our systems and compliance needs and how we actually operate. Finding that fit can be difficult. If an MSP doesn't speak our language, I've found that we end up wasting more time educating them on how to serve us instead of them jumping in and solving problems for us. We've walked away from vendors who looked great on paper but couldn't demonstrate clear knowledge of Litify, our CRM, for example. We ask for demos so we can see it working for another partner. We ask for references. We also look the culture fit. Are they responsive? Are they proactive? Do they escalate without being asked? At the end of the day, we're looking for relief so we can focus on serving our clients, not on keeping our team online. The right MSP gets that. Vetting a new partner isn't just about who has the cheapest price or nicest sales presentation. Internally as a team, we talk about who will make life easier for us in the moments that matter. That's the standard we hold every partner to. If they stop hitting that mark, we don't wait five years to make a change. We audit annually and move forward if we have to.

Vet the provider's internal practices: patching cadence, employee background checks, access management, and monitoring of their own systems. A provider with weak internal security can become a direct risk to your organization. Transparency in these areas shows how seriously they take security for themselves and provides a clear signal of how committed they will be to protecting your environment.