6 mistakes to avoid when choosing a managed services provider

It’s critical to find the right managed services provider. Here are 6 things to consider when searching for the best provider to meet your business needs.

Applications support some of the most strategic business processes and access an organization’s most sensitive data. However, application security continues to receive less budget and attention than network security. Thanks to the high-profile data breaches of the past few years, we can’t blame lack of awareness for the lack of investment. Security experts and business leaders alike are now painfully aware that hackers are targeting applications as an entry point.

What is a managed services provider?

Managed services have emerged as the preferred way to address application security concerns and lighten the burden for internal teams. A managed services provider gives you greater elastic application security testing capacity. When your AppSec testing load is light, you can take on testing yourself. But when you need more resources, you engage your provider and pay only for the services you need when you need them.

Application security testing services allows you to skip the overhead costs that come with hiring, retaining, and equipping an internal team, only to have them sit idle during less intense testing periods. Plus, a highly skilled and efficient managed services team frees up your employees to focus on other core business activities. In fact, a 2019 survey by Continuum found that 77% of small businesses expected to outsource at least half of their cyber security needs within the next five years.

But deciding to use managed services is only the start. It’s also critical to find the right managed services provider. Here are a few things to consider when searching for the best provider to meet your business needs.

6 mistakes to avoid when choosing a managed services provider

1. Ceding control

Even if you outsource all day-to-day application security work to a managed services provider, you’re still in charge of your software security strategy. Choose a provider who gives you complete control over test timing and depth.

2. Limiting visibility

Make sure you have full visibility into testing activities and results, and ongoing communication with your provider. Providers who value visibility have cloud-based portals that you can access at any time for an aggregate view of test results.

3. Underestimating growth

Look for a service provider that lets you increase the number of applications to test, and the depth of testing, without breaking the bank.

4. Choosing a managed services provider that loves their tool

Some service providers might limit you to using their own testing tools. If you prefer a specific tool, make sure your managed services provider can incorporate it into your testing plan. To get the best results, use multiple tools.

5. Relying exclusively on automated testing

Automated tests can result in a large number of false positives. Manual testing is necessary to identify multistep penetration scenarios and identify the most critical vulnerabilities. Make sure your provider includes human analysis to help prioritize results.

6. Choosing a provider that leaves all the fixes to you

The right managed services provider will help you interpret the results and extend remediation support specific to your technical risk and business objectives. Expect your testing provider to hold read-out calls with your developers and offer ongoing support to address security issues.

Want to learn more? Check out our eBook Top 6 Application Security Hurdles and the Secret to Overcoming Them.

This post was originally published Feb. 16, 2016, and refreshed May 27, 2020.