Five best practices for choosing the right security provider

Author: David Grady

As technology evolves, organizations must constantly adjust their cybersecurity strategies to

minimize risk. But keeping up with cyber threats often feels like a losing battle for organizations because staffing up cybersecurity teams remains a huge challenge. Qualified cybersecurity talent is hard to come by, and as companies try to build their teams as best they can, security gaps are always a concern.

Currently, there is a cybersecurity skills shortage of 4 million professionals worldwide and 805,000 in the United States, according to cybersecurity certifications organization (ISC)2 . And the Center for Strategic and International Studies (CSIS) has found that 82 percent of employers report a shortage of cybersecurity skills. What’s worse, 71 percent of IT decision makers polled by CSIS believe the talent gap causes measurable damage to their organizations.

Thankfully, organizations don’t have to go it alone when it comes to security. An effective way to round out their security efforts is through strategic outsourcing to a managed services security provider (MSSP). Selecting the right partner gives organizations a better chance of implementing comprehensive security programs with end-to-end visibility and ongoing monitoring. A MSSP can fill gaps in areas such as patching, penetration testing, threat intelligence and artificial intelligence models designed to sift through massive amounts of data to spot previously unknown threats.

Working with a qualified security partner helps organizations fortify their defenses and minimize exposure to cyber risks, but it’s important to choose the right cybersecurity provider. Here are five best practices to find the best possible match:

1. Assess your needs

The first step to forging a good partnership requires an organization to have a conversation with itself about its needs. This means doing a realistic assessment of the capabilities of your internal cybersecurity team and existing technical capabilities. A fundamental question to ask is what the internal team can handle and what should be outsourced.

Having a sense of self-awareness helps to start zeroing in on a good partner match. Your MSSP should understand your business. Whether you’re in healthcare, retail, manufacturing, construction or some other market, your provider needs to know what your top priorities are. If a prospective provider cannot rattle off your industry’s top three priorities when you ask them, it’s a sign that you should move on the next candidate.

2. Engage key stakeholders

Step two in evaluating security providers is to listen. Representatives of key stakeholders in the organization, including IT, the cybersecurity team, business line managers and C-level executives, need to be part of the process. As a group, stakeholders are essential an organization’s internal customers – the people you are supporting and protecting. They should play a significant role in setting priorities and ensuring the organization’s security strategy addresses their needs.

Engaging key stakeholders is important in two fundamental ways: For one thing, it fosters good relations, which facilitates collaboration. In addition, knowing what stakeholders need rightly influences your choice of MSSP. An organization is much more likely to accurately map its security needs to a provider’s capabilities when all relevant stakeholders are involved in the selection process.

3. Ask tough questions

As mentioned earlier, a provider’s understanding of your market is key to making a good choice. When vetting candidates, organizations should ask pointed questions about relevant experience in their industry. Is the provider familiar with the challenges in the marketplace? Is the company aware of industry-specific privacy and security regulations? What systems and practices are in in place to ensure compliance?

One way to evaluate a prospective partner’s experience is by checking references. In cases where references are not available, the company should be able to provide anonymized cases studies. Your organization’s security experts can play a decisive role here by helping to determine if what the provider is saying makes sense. How each prospective partner addresses questions and requests for references gives you valuable clues on whether the company is a good match.

4. Consult industry research

Independent research can play a key role in selecting a security partner by complementing the information you gather by checking references and talking to the company. Companies that distinguish themselves tend to catch the eye of industry market researchers such as Gartner, IDC, Forrester and Ovum. Market researchers have a lot of information on companies such as MSSPs, their offerings, and their record with customers. You can get important details that help complete the picture you have about a prospective security partner.

5. Ask about industry methodologies

Developing a cybersecurity strategy is complex and time-consuming, but organizations don’t need to reinvent the wheel when building their programs. Industry methodologies such as the National Institute of Standards and Technology (NIST) Framework, ISACA’s Control Objectives for Information Technologies (COBIT) and ISO standards provide reference models for designing and optimizing security programs. Adherence to your chosen model by a security provider is key to developing a cohesive, effective strategy. If the internal cybersecurity team and the third-party provider speak the same language in developing a strategy, that strategy stands a much better chance at delivering the desired outcome.

In it for the long term

A security provider that speaks the same language and understands your industry’s challenges and priorities is bound to make a good match. Beyond that, it’s important to attain a real sense of whether the provider and the internal team are compatible. When you choose a MSSP, you want a partner for the long term because, security being as important as it is, no organization wants to switch partners after only a year or two.

Good chemistry and effective communication are important. And once the security partner of your choice is on board, be sure to conduct periodic reviews with the provider to ensure expectations are being met and your security program remains up to date. To understand why strategic outsourcing is necessary for cybersecurity download our white paper. 

Learn how Verizon helps organizations protect against cyber threats.

David Grady is an ISACA-Certified Information Security Manager (CISM) and Chief Cybersecurity Evangelist at Verizon Business Group.