10 Questions to Ask During a Cybersecurity Vendor Assessment

There has been a lot of buzz in the cybersecurity industry lately about who should be responsible for ensuring an organization’s data is properly protected. There are many so-called security solutions that only offer partial protection. Often, IT vendors claim to offer services that will defend organizations against cyber attacks, but the reality is that many of these companies are grossly exaggerating their capabilities. The best approach is often to layer multiple vendors (such as an MSP and MDR) that complement each other. However, figuring out which vendors to use and who should be in charge of what can be daunting. It is important for organizations to ask the right questions when conducting vendor assessments and to develop a clear division of responsibility from the get-go. These ten questions will help you determine whether or not a vendor is a good fit, and also what role they will play in your overall security strategy.

1. Are they managing security events, the network, or both? To what extent?

Network management focuses on network speed and user-experience, which is usually in direct conflict with the realities of effective cybersecurity. Security event management involves real-time monitoring, correlation of events, and occasionally threat analysis. Both are important, but just because a vendor is competent in one does not mean they will adequately handle the other. Many network management providers may offer security “services”, but it is critical to identify the scope of these services before signing a contract. Organizations should hire one company to manage their network, and another to manage their security events. This is a great solution, but it is important to be aware of this need up-front, and compare apples to apples when looking at budgets and proposals.

2. Are they managing your endpoints? If so, which ones?

Endpoint management is critical for effective cybersecurity. However, endpoint protection is often omitted from vendors’ cybersecurity capabilities because it is a noisy dataset and hard to scale across clients. If your prospective solution does not offer endpoint protection and response, you should include the cost of an additional vendor to manage your endpoints in your overall cybersecurity budget. Response is key here, anyone can install a cheap anti-virus solution such as Avast. Does this technology have the ability to quarantine a host off the network. If so, is someone monitoring this 24/7?

3. Which phase of the threat cycle do they focus on?

Most MSPs rely heavily on perimeter protection, and do very little with analysis or cyber threat removal. This means that analysis and response will either fall to your existing IT team or another vendor. While having one company license and configure perimeter protection and another conduct analysis is fairly common, it is important to know what you are getting into, and to plan your cybersecurity budget accordingly.

4. Do they integrate with other IT vendors?

Technical solutions do not exist in a bubble. Both the software and the people should be able to work well with your existing tech, and any future technology that you might adopt.

5. How do they deal with Incident Response?

Organizations need Incident Response. It is critical to have a plan in place and be able to act quickly should an incident occur. If your prospective vendor does not do Incident Response, you should either look for one that does, or be prepared to layer another vendor onto your prospective cybersecurity solution.

6. Do they offer a (human) point of contact?

There is nothing more frustrating than filling out help ticket after help ticket only to have your problem ignored or passed around. This is even more frustrating when you want quick, accurate answers about the security of your organization’s data. If your prospective vendor is unwilling to give you a direct point of contact (ideally someone you get to meet in-person), it is likely that you will be looked at as just another account number, and not given much one-on-one attention.

7. Is their technology outdated or cutting edge?

Obviously you want the most advanced security monitoring technology that your organization can afford, but you also want proven results. Modern cybersecurity is all about layering solutions and effective risk management, so a comprehensive cybersecurity strategy will usually combine tried-and-true perimeter based solutions (firewalls and endpoint protection software) with more disruptive technologies. AI-powered threat detection is one of the most cutting-edge technologies in cybersecurity, and may be more affordable than you think. AI solutions can typically eliminate false positives, so while the overall tech implementation may cost more,  that cost is often recuperated by reducing (but not eliminating!) the need for human analysts.

8. How do they implement patches and bug fixes?

It is important for your security solution to be vigilant in their updates- especially if they are focusing on perimeter-based defenses. There isn’t necessarily a right answer here, but it is important to consider how often patches are released, whether they are installed automatically or manually, and who is in charge of installing the patches. Consider how these answers will fit into your organization’s overall workflow.

9. Is their solution scalable?

Dig into their pricing model, as well as what type of hardware they rely on. How will their fees shift at 20% growth? 100%? Often, there is significant upfront cost in implementing a new cybersecurity solution. By ensuring that the solution you choose will grow with your business, you will eliminate future expenses and headaches. Vendors that charge based on events per second (EPS) or require additional licenses for every new endpoint may become prohibitively expensive as your organization grows.

10. What security standard do they adhere to?

We are in the age of security standards- NIST, GDPR, DFARS, HIPPA, and other standards all offer guidelines for how to handle data. Your security solution should adhere to an open and peer-reviewed security standard. Any security solution is only as strong as its weakest link. If your security vendor is not protected, then neither are you.

Developing a cybersecurity program is difficult. It is important to carefully consider what data you need to protect, the best methods to protect it, and which vendors to partner with. It is also important to be very clear about which vendors will be responsible for which tasks, and to optimize services and cut down on redundancies. At Bluestone Analytics, we have helped many businesses navigate the complicated world of outsourced cybersecurity. If you are curious about how we can help you improve your data defenses, contact us.