The Information Security market brought in an estimated $167 billion in 2019 and that’s expected to double in the next 4-5 years according to some estimates. With that huge growth comes an avalanche of security companies promising to fix all of your cyber worries. Some of them offer amazing services with fantastic value. Others, not so much. Whether or not those products and services address your needs is another question entirely.
In this post I wanted to outline a few tips and tricks for dealing with security vendors, and making sure you’re getting the best bang for your security buck. We work with a lot of companies that contract with a variety of vendors, so we’ve seen the good and the bad.
Know Your Goals
Before you get started with a 3rd party, make sure you know what you’re looking for. If you don’t know where to start, you may want to work with a consultant to help prioritize your needs. Then you can use that plan to shop for other vendors. Never hire someone to “secure your stuff” without first understanding exactly how their service fits into your overall security goals.
You Can’t Outsource Security (Completely)
You have to accept that you can’t completely pass off all responsibility for your security to a third party. There are companies that promise to offer “security in a box” types of services, but even those are going to be limited in the liability they’re willing to take on. At the end of the day, you have to take responsibility for the security of your organization.
Watch Out for “And Security” Companies
There are a lot of IT service companies out there that have realized by adding “and Security” to the end of their name, they can scrape a little more money off their clients’ plates. Some of them legitimately invest in the necessary personnel, training, and tools to provide reasonable services. Others simply subcontract that work to another company. And, unfortunately, some just perform very poor work. Make sure your vendor really knows what they’re doing and that they have hired people with the correct skill sets.
Find Out Who is Doing the Work
Whatever services are being outsourced, find out who is actually providing the labor. It’s very common for companies to have a couple of very experienced senior-level consultants who help seal the deal, but then hand off the actual work to junior-level analysts. That may be okay depending on the services provided, but you should know exactly what you’re getting before signing a contract. Do the people who will be responsible for your service have the adequate training and experience? The expectations for a penetration tester, a SEIM analyst, and an incident responder are considerably different.
Are They Involved in the Community?
The information security industry is a relatively small community compared to many other industries. And most professionals interact often with others in their fields. So how active the vendor’s people are in the community is a great way to assess how experienced they actually are. Do their employees speak at conferences? Write blog posts? Participate in local events? If you can’t find any reference online to their people being involved in the community, that’s usually not a good sign.
Nobody likes following up with references, but if you’re considering a vendor, it’s wise to ask for references from their other clients. If you are not comfortable asking directly, then at least ask around within your network for other businesses that have used them. If a company hasn’t been around long enough to have a strong base of repeat customers, that should be a warning flag.
Look for the Heart of a Teacher
Don’t get sold by a flashy show. A good consultant or vendor should be able, and willing, to take the time to help you understand the services you’re considering and the issues they discover. Look for a company that has a track record of helping their customers learn and improve. If they can’t appropriately explain their solution or service in a way that you understand, then keep looking.
Ask for Sample Reports or Deliverables
Especially for consulting, during the SOW review phase, ask for copies of a sample report so that you can get an idea of what to expect. If a company’s tool promises flashy automated output to help you make risk decisions, get copies of them and review the data as if it was real. Consider how the data might help you make better risk decisions.
Avoid One Size Fits All
Every organization’s security posture and needs are unique. So a good security services vendor should dive into the details of your situation and craft a service that meets your needs. Be wary of companies that will attempt to shoe-horn you in to their service model.
Review and Assess the Services Regularly
Regardless of what kinds of services are being offered, make sure that you regularly review and assess the effectiveness of the vendor. Some companies may start strong and then begin to perform more poorly as they get bigger and gain more customers. Others may not be keeping up with their competitors in the value of the services being offered. I gave a talk at ShowMeCon in 2018 with specific ideas on how to do this for MSSPs, but it applies to other types of services as well. (https://www.youtube.com/watch?v=_SF4vw_mVnY)
Going back to the beginning, to be successful, you need to have a plan. You need to have goals in place and know what services are needed to address those goals. If you’re not sure where to start, then your first goal should be to find someone who can help you figure out where to start. If you already have a mature security posture, then use these guidelines to assess whether the vendors you’ve selected are meeting those goals you’ve outlined.
Nathan Sweaney is a Senior Security Consultant for Secure Ideas. Contact him directly at firstname.lastname@example.org.