How to select the right cybersecurity provider

The market is awash with agencies that overpromise and underdeliver. Here’s the best way to identify the elite performers that will keep your IT assets safe from harm
Two cybersecurity professionals having a discussion in a server room

Every company needs a cybersecurity partner. The question is: how do you choose the most competent one from the crowd of players offering such services? The sector has attracted a lot of newcomers in recent years and gained notoriety for spouting unsubstantiated marketing hype. This suggests that there may be plenty of wrong ’uns out there. 

Philip Hoyer is EMEA field chief technology officer at Okta, a digital ID specialist based in Silicon Valley. He says that “the painful truth is that cybersecurity procurement calls for elite BS detection. Ever since the Covid digitalisation gold rush, where all firms became digital service and product companies overnight, and the shortage of experienced specialists at the enterprise level, the cybersecurity market has earned a reputation for using fear tactics to sell silver bullets.”

Other common offences by providers include exaggerating their expertise and scale; aggressively marketing unproven tech; overcharging clients; and losing focus once the contract is signed.

What, then, are the hallmarks of a cybersecurity partner that can be relied upon to do none of those things?

What are the essentials when assessing cyber partners?

Certification is a good indicator. A reputable provider should have all the right documents. The classics are ISO27001, Cyber Essentials Plus and Certified Information Systems Security Professional. If the firm is from the US, it should have FedRamp credentials, which indicate alignment with the government’s official Federal Risk and Authorization Management Program. 

Pricing should be transparent and straightforward, providing a perspective on scalability and future costs

Then it’s time to interrogate your candidates. Claire Vandenbroecke, cybersecurity specialist at TSG, a managed IT provider, suggests the following questions as a starter pack: “Do they have cyber insurance? Request a copy of the policy to verify exactly what is covered, such as public liability and legal expenses. Are they aware of the UK government’s Network and Information Systems Regulations 2018 and how its recently announced intention to bring managed-service providers into their scope will affect their operations? Are they familiar with the Center for Internet Security’s critical security controls and how these can be used to generate risk scores for organisations?”

Vandenbroecke advises checking that their claims are accurate, adding: “Request their certification number so you can verify that they’re certified. And ask them to confirm the scope of their certification, because they may have had to exclude certain areas of the business to obtain it.”

How to weigh up effectiveness, compatibility and security

Once you’ve obtained the answers to these key questions, you’ll have a shortlist. To winnow its constituents down to a winner, you’ll need to conduct active research into the competence of each potential partner. 

“Companies can request a trial period to evaluate the vendor’s solutions,” says Dominik Birgelen, co-founder and CEO of oneclick, a provider of cloud-hosted digital services. “This enables them to assess their usability, effectiveness and compatibility.”

Birgelen suggests a proof-of-concept project to test the vendor’s suitability. This should enable you to determine whether its technology integrates well with your stack.

Then there’s penetration testing, which is where a white-hat hacker searches for weak points on a network. They will start by running programs to probe for flaws, often using off-the-shelf applications such as Metasploit, Wireshark and Burp Suite.

A pen tester will also, with your permission, combine purely technical attacks with social engineering. They may go phishing by emailing infected files to employees and seeing whether they download the bait, for instance. They may look for the reuse of passwords across platforms. They may call the IT team pretending to be an employee with lost credentials, bluffing their way into the system. And they may even show up at the office and try to physically gain access to systems. An unattended workstation could give them the opportunity they need to inject malware into the network. 

Organisations should establish where data is held and whether the supplier’s servers are hosted in the UK, the EU or overseas

Pen testers succeed more often than not – it’s usually just a matter of time and resources. Then comes the question of how far they can move within a network once they’ve infiltrated it. Zero-trust networks and internal perimeters should mean that access to one part of the system does not mean access to everything. Does the cybersecurity provider understand how to deploy a pen tester and respond to their findings?

There’s also the matter of data location. Professor Simon Hepburn, CEO of the UK Cyber Security Council, identifies this as an important factor to take into account. 

“Organisations should establish where data is held and whether the supplier’s servers are hosted in the UK, the EU or overseas,” he advises. “The location may affect records of processing activities and data protection officer plans under GDPR, so it’s a key consideration before investing.”

Naturally, a cybersecurity partner will need to do more than meet these requirements. It will need to be a cultural match too. This means it must listen carefully when you explain your needs. Do you need your partner to be on call 24/7 and advise the IT team comprehensively, or be less hands-on? The prevailing view in this sector is that such aspects are often overlooked. 

How much should you expect to pay?

Last but not least, there’s the issue of cost. Knowing how much to pay is extremely hard. Organisations’ requirements vary so widely that benchmarking can seem arbitrary. 

“Before any decisions are made, be especially wary of overly complex pricing models.” 

So says the founder and CEO of Arco Cyber, Matthew Helling, a man with more than 30 years’ experience in this sector. He believes that quotes “should be simple and easy to understand. No business appreciates hidden costs, especially when it turns out that further funds are required after the project has been approved. Pricing should be transparent and straightforward, providing a perspective on scalability and future costs.”

In short: if you can’t understand precisely what you’re paying for, something is amiss.

Is finding the right partner complex? Yes, but so is cybersecurity. Protecting your company’s many IT assets – servers, PCs, tablets, mobiles and other networked hardware – from a growing arsenal of attack methods is a tough gig.

A strong cybersecurity partner can make the difference between the smooth running of those assets and the loss of six months’ profits to a Russian ransomware gang. It’s worth making the right choice.