Let’s start with the obvious: Cyber-security is not optional or discretionary in today’s business environment. Everyone knows you must secure your online information and IT assets to reduce the risk of breach, loss or exposure of data, theft of resources, and the consequential costs. The news is full of examples why. The challenge is how, particularly when your organization lacks the key skills to do so. As we note elsewhere:
Small- and medium-size businesses do not typically have IT Security departments to manage their cyber-security. In fact, even firms with IT staff often exhibit a glaring lack of security expertise. This can lead to a fatalistic attitude towards cyber-security and a kind of paralysis in which even modest initiatives that would dramatically improve the organization’s defensive posture are not undertaken.
The purpose of this article is to provide useful criteria to IT decision makers within firms needing outside expertise as to how to select and qualify cyber-security vendors, and ultimately choose the one that is the best fit for their organization. We also make our case for our approach in the hopes that it will provide you with a comparison point as you proceed through the vendor selection process.
If you have not already come to the same conclusion, you will: Cyber-security is expensive and highly specialized. As a consequence, it is simply more cost-effective for small- and medium-size firms (a.k.a. SMBs) to outsource this responsibility to consultants and rely on their expertise to design and implement solutions. This is not a mistake. In fact, it is good management to engage outside resources as long as they satisfy the following criteria:
- They are competent and provide the services you need
- Cyber-security is strengthened as a result of their efforts
- They do so in a manner consistent with whatever agreement(s) you have in place
- They do so in a competitive and cost-effective manner
- They do not lock you into a solution or relationship without your full understanding and agreement
- You can trust them completely with your most sensitive data and IT assets
So it is not a bad decision to outsource, but how do you find the right partner ?
A Bewildering Marketplace
There are now hundreds of tools, products, services, frameworks, and standards in the Information Security space. This is in part because it is a large space, but also because new products are coming to market at a rate never seen before. The Information Security market is expected to reach USD 181.77 billion in 2021 and is anticipated to grow at a CAGR of 9.5% between 2016 and 2021. 1 This kind of explosive growth encourages new vendors and new products. For example, googling “cyber-security solution” resulted in almost 7.5M hits at the time of this writing. So in addition to it being a technically broad and complex landscape, you will find a bewildering array of offerings to choose from in almost every domain. This inevitably leads to confusion about what mix of products and services are appropriate and necessary to keep your organization safe. Navigating this landscape can be daunting, especially for the non-specialist. You will likely benefit from having a trusted cyber-security partner to guide you in product selection.
It Is Easy To Get It Wrong
There are other contributing factors that make addressing your cyber-security difficult:
- There are redundant and overlapping features in different products
- The selection of products might leave gaps that leave the organization open to dangerous threats
- The selection of products might not be as cost effective as possible
- A given cyber-security solution may incur unnecessary and costly overhead
Worse yet, there might not be sufficient expertise within the firm to recognize these problems, let alone address them. The majority of companies must reach outside the organization to help navigate what is a complex landscape, and “vendor selection” is itself is an opportunity to make a mistake.
It is not hard to find a firm that wants to help you improve your cyber-security. The challenge is finding one that will offer a comprehensive solution that truly increases protection firm-wide, while being both practical and cost-effective. That’s a loaded sentence, so let’s break it down:
- Comprehensive: The solution must address all information security domains sufficiently to avoid vulnerability gaps. Anything less that a comprehensive approach to cyber-security is suspect at best, and fatally flawed at worst.
- Truly Increases Protection: Security is not a product of the amount of dollars spent, nor is it measured the volume of policies and procedures. In fact, there are a LOT of things you can do in the name of security that only marginally increase your safety. The judicious selection of tools, policies, and practices is an engineering exercise that must balance cost, benefit, and impact on the firm.
- Firm-Wide: Assuming that the entire enterprise utilizes IT resources, then the entire enterprise is at risk. Any solution that does not address all locations, all employees, all systems, all processes, etc. can leave you vulnerable.
- Practical: Every “best practice” adopted, every control imposed, every countermeasure deployed, and every policy embraced in the name of improving security has an impact on the productivity of the organization. It is essential that security initiatives are carefully analyzed and chosen to reflect the right balance of benefit and overhead.
- Cost Effective: There is no such thing as 100% risk reduction, and costs rise dramatically if you seek to excessively reduce risk. Your goal should be to make it more expensive to achieve the attacker’s goal than it is worth to the attacker. This, of course, means vastly different things to different businesses and organizations, and that is the point. Information security is improved as consequence of one big decision to commit to do it, and the result of hundreds of small decisions as to how. Each tactical decision needs to reflect the right balance of cost and benefit.
The questions and discussion points below are driven by these realities and will help you qualify the vendors you are considering.
Is There a Product?
There is a saying that “Once you know how to use a hammer, everything begins to look like a nail.” Vendors that are pushing products are often (deliberately or not) myopic in their world view and will emphasize their solutions at the expense of a more comprehensive approach. Assuming that the product(s) provides adequate protection in some domain (e.g Data Loss Prevention, Intrusion Detection, Authentication, etc.), the risk is that you will solve a small part of a very large problem very well, but also inadvertently leave enormous gaps in your defenses.
Takeaway: Be sure you understand the scope and scale of the solution(s) being presented and that it fully addresses your needs.
A One-Size-Fits-All Solution?
Is the vendor proposing a solution that is specifically customized to your business? This is a critical consideration because what works for larger firms is overkill for smaller ones, and smaller solutions may not scale sufficiently for large firms. This is obvious in some domains and less obvious in others. A catalog of products and/or services with fixed prices is a tip-off that customization and flexibility may be lacking. Your vendor must have a process or framework to guide their efforts, but they must also be flexible and emphasize what is appropriate for your firm’s size, complexity, and current cyber-security maturity.
Takeaway: Inquire about the vendor’s process and how they will adapt it to your needs. Ask for specific examples of how they have done so before.
Are They Familiar With Your Industry?
Each industry has its its own unique considerations with respect to information security. For example, retailers and the hospitality industry are concerned with PCI-DSS, the healthcare industry must satisfy HIPAA security rules, and financial industry has requirements from the SEC and FINRA. They are all oriented towards increasing Information Security within covered firms. Both regulated and unregulated industries may choose to embrace industry-neutral cyber-security guidelines such as NIST 800 family of specifications or the ISO 27000 series.
Clearly, it is advantageous to partner with a firm that is familiar with the specific compliance requirements that apply to your organization, or that you have chosen to adopt. Of particular importance is how prepared your vendor is to recommend strategies for compliance that your organization can handle, operationally and cost-wise.
Takeaway: In addition to verifying that your candidate vendors are familiar with relevant compliance requirements, find out what they have to say about practical implementations within a firm such as yours.
Are They Selling Compliance?
It is important not to equate compliance and security. Many industries must now legally meet certain cyber-security requirements, while others seek to satisfy guidelines self-imposed by their industry. While compliance requirements are always designed to improve an organization’s defenses, a fixed list of “Do’s and Don’ts” can sometimes lead to over-emphasis on compliance and a loss of focus on other initiatives that would benefit security. You must avoid the false sense of security that can come with a pure compliance focus.
Takeaway: Don’t fall into the trap of assuming that compliance means security. Listen carefully for the domains that are NOT being mentioned by the vendor as they present their approach.
Will You Get the Experience You Are Paying For?
You have seen this “bait and switch” elsewhere, perhaps when you have investigated outsourcing accounting, or legal, or software development. The vendor’s sales team is knowledgeable and experienced, they ask good questions, and they exude confidence in their approach. The problem is that the sales team disappears after the sales process is completed, and you are left with a minimally experienced recent college graduate who is two questions away from “I Don’t Know” in every important matter you discuss. It only becomes more infuriating when you realize how much you are paying to educate your “consultants.”
In fairness, this is most often a phenomenon that occurs with large vendors with lots of brand-name recognition who are relying on their reputation and “process-oriented approach” to help make the sale. The fact is that such firms are so large that they do not have a pool of sufficiently experienced staff to fulfill all their obligations.
You should also be reasonably skeptical of certifications. While they do demonstrate a commitment on the part of the holder to the industry, they are NOT a substitute for experience, and should be weighted accordingly.
Takeaway: Be sure you understand who the consulting team will be. Ask for resumes/CVs of the candidate team and ensure that you get a veteran team. Don’t just vet the company, vet the team!
Here Today and Gone Tomorrow?
Information security is not a “one and done” activity. It is an ongoing process of continuous improvement that impacts most operations and spans the enterprise. Is your vendor committed to supporting your firm in the long run, or are they only interested in making the sale and moving on?
Takeaway: Take note of the timeframe of each vendor’s proposal. Those who initially offer only limited, short-term engagements are likely more interested in making the sale than getting you secure and keeping you safe.
Does Cost Matter?
You wouldn’t go shopping for the cheapest brain surgeon, and you shouldn’t do so for cyber-security either. We are not so naive to suggest that cost doesn’t matter, because it always is a consideration in business. There are two mistakes to be avoided, and a possible root cause:
- Assuming that quality and cost are highly correlated. The fact is that there is a spectrum of quality and capability. Sometimes you get what you pay for, sometimes you don’t.
- Reflexively sorting vendor proposals by cost, and otherwise biasing your choice towards the least expensive solution. The best proposal may not be the cheapest, particularly if you are comparing “apples and oranges.”
Sometimes a wide variation in cost reflects a wide variation in the scope and scale of proposed products/services. When this occurs, it is often due to the failure of the soliciting organization to provide clarity in that regard. A good decision is the result of careful analysis that is only possible if the proposals under consideration are similar in scope and purpose.
Takeaway: Do not leave it to the vendor to tell you what you need. It is your responsibility to understand what your organization needs and solicit specific solutions from the marketplace. Relegate cost as a secondary consideration behind the quality and fitness of the vendor to address your needs.
Why Affinity IT Security
Since 2009 Affinity IT Security has been helping small- and medium-size businesses address their cyber-security needs. We promise you experienced and knowledgeable consulting and a practical and cost-effective approach to your specific needs. We are product-neutral and do not advocate any particular product or service. We will help you assess your needs across the entire company and recommend the best solutions for your unique situation.
Contact us to start the discussion about your current cyber-security situation and how to improve it. Only after we have an understanding of your business, operations, and cyber-security maturity will we bring a comprehensive, practical, and cost-effective proposal to the table.