6 Questions to Help You Hire & Evaluate Security Solution Providers

Cybercrime cost the global economy as much as $600 billion in 2017,⁽¹⁾ so unless your business and all of your customers and employees have no interaction with the internet or modern networking technology, chances are you have hired or will hire a Security Solution Provider.

The decision to hire a Security Solution Provider goes beyond just making sure you get a good deal and a fair price because when it comes to security, there are factors that go well beyond these typical metrics.

If your choice in a Security Solution Provider is poor, you not only lose protection from evil hackers, con artists, and critical systems outages, but you might actually be opening up a door to make these risks more likely or more serious.

What questions should you ask your business or your Security Solution Provider?

We have some suggestions, so read on!

Is this company providing a product, a service or both?

If you are looking for a particular product solution, such as endpoint security, cloud security or a firewall, you might consider working with a value-added reseller that has experience with several different products that could fit your needs. This is where some of the “value” of a value-added reseller comes to play as they have seen all of these competing products in action and will want to stand behind the solutions they offer you. Typically, the value-added reseller works for YOU and won’t just cash your check and walk away.  It is an ongoing client relationship.

Is this company a startup or well-established?

We can’t say that startups are bad or that established organizations are going to be the leanest and most efficient. A startup might be more agile and, with the changing nature of information security, that might be an advantage you want. Typically, an established solution provider will have more history that you can use to determine if they fit well into your business practices, especially if you want that product or service to be stable and available over the long haul.

Are you buying a Band-Aid or a cure?

A common mistake or misconception that happens to organizations looking for information security help or services is that they go out looking for products when perhaps they should be looking for business solutions.

If you want your organizations to be protected from cyber-crime, ransomware, social engineering exploits, compliance violations, information theft, reputation damage, email exploits and related topics, perhaps what you should be shopping for is a trusted advisor to work while you make a business plan that addresses issues with a unified vision that aligns with your business.

Ideally, working with a trusted partner/advisor such as a vCISO or a value-added reseller that offers BOTH products and services will allow you to create programs that enhance how you do business. Installing products without good oversight and knowledge of the big picture can actually create roadblocks for your employees and processes that cost more than the security product itself and this can be avoided.

One example might be a company that wants to avoid ransomware. If they shop for and buy an email and malware software solution, they might think they have succeeded in mitigating the risk. However, if they had sought a business solution from a trusted advisor they likely would have discovered ransomware can make it past these kinds of defenses and they should also employ security awareness training and undergo a risk analysis so that they are aware of any other “doors left open.”

What are some red flags that should make businesses cautious?

When seeking Security Solution Providers, are you just looking at uni-taskers? Being very good at just one thing is great, but when it comes to solutions, typically a single answer is not ideal. If you buy a complex security product, such as a firewall, does the vendor provide training or are you going to become solely dependent on the provider? When you have an issue and more than one product is involved, will you experience outages from finger-pointing?

Do you have a full understanding of how a product or service fits into your business strategy?

Having guidance from someone that understands both a product or service and your business practices is ideal. Simply put, if you are not controlling security and technology, then it is controlling you.

To evaluate a product or service you must understand how it fits into your information flow and how it relates to a business case used to justify the purchase. It also requires at least some transparency. This is a problem in the information security business, especially with many cloud-based products and vendors.

Some products and services should be secret sauce because, for example, hiding how we discover malware helps keep evil hackers from learning how to avoid our controls. The problem comes in when we purchase a product or service and we don’t fully understand its features, use and impact.

Are there any ratings or other factors that should be considered?

Few products or services are as potentially invasive to your organization as security can be. Security in most aspects is there to protect what is important to you, your employees, your partners and your clients. Almost any kind of security product or service is going to integrate into your workflows even if it does so in an apparently transparent way.

Just like an insurance company or a bank will look at your credit scores before doing business, you should be looking at the security reputation scores of not only your Security Solution Provider(s) but also your suppliers, partners and any significant vendors.

There are currently several good options for researching security reputation scores including Security Scorecard, BitSight, Qualys, and RiskRecon. Which of these scorecard products you plan to use will vary on your needs. Just as a bank or insurance company will often use more than one credit rating agency, this might also be a good practice when you look at security reputation scores, as each uses a different methodology.

As we have seen with the other issues surrounding choosing Security Solution Providers, getting the help of a trusted advisor is often the best option. If you don’t have a good understanding of how the metrics of these reports tie into your relationship with your Security Solution Providers, the guidance is still useful but less so. Additionally, the security reputation business is still new compared to the maturity of credit rating systems. There are many metrics that none of these rating systems currently cover.

For example, Gartner, a global research and advisory firm, provides information, advice, and tools on many products including security solutions. You will often see vendors mention that they have products or services in the “magic quadrant.” The magic quadrant is a good thing because this kind of rating helps to evaluate products. Placement in or out of the quadrant should only be part of your decision-making process; if a product or service is not in the quadrant, that should not be a deal killer. Just because a product is trending in the market does not mean it is necessarily going to be a great fit for your needs.

Seeking security products and services should ideally complement your business practices, align with business goals and even provide a competitive advantage through such things as a good security reputation. You must determine your organization’s risk and have a good assessment of your environment. If you don’t have these skills in-house - or even if you do - using a trusted advisor and working with value-added resellers can be both the safest and most productive options.

1. Center for Strategic and International Studies (CSIS)