Choosing The Right Security Services Partner

A Security Services Provider needs to be reliable and supportive. Have you been unable to find the right fit for your organization’s global, regional or local footprint? Is the dynamic demands of your computing environment, and the changing dynamics in your operational complexities a challenge for your organization?  If so, you are not alone.  The good news is that you are not unique in your quest to find a true partner for your current and future cybersecurity needs.  The best news is that the right Security Partner is available, but you need to perform the necessary up-front work to find them. 

In this blog, we will cover the top 10 topics that you need to cover that will help you find a security and compliance partner that not only helps you keep your business operations secure, but protects your important client and payment data from quickly evolving threats.

The first step in this journey is to conduct data gathering, asking multiple types of questions, and perform company, financial and reputational research that will help inform your decision in selecting a new Security Partner. 

The following Top 10 topics will help you get started and are highly recommended to establish a solid foundation for your decision making:

Core Business:

• What is the Security Partners’ core business?
• Is it consulting services or reselling of technology?
• Does the Partner offer vendor-agnostic services?
• Does the reseller model constrain or force a limited set of solutions being offered that may limit the ultimate set of cybersecurity capabilities?
• Does the partner offer testing, managed security, monitoring, compliance, advisory consulting and staff augmentation?

Core Competencies:

• Does the Security Services Partner have a state-of-the-art Security Operations Center that offers SOCaaS, MDR, EDR, and other modern relevant services that deal with active and dynamic threats? Does the SOC leverage multiple intelligence sources, threat analysis tools, and automation processes to ensure a single vendor is not relied upon?
• What are the Security Service Partners core competencies, and do they include full coverage of modern cloud architectures, SAAS, DevOps, and dynamic application delivery models to support business revenue streams?
• Are up-to-date core competencies the foundation of the business and how much of the primary revenue streams are related to these?
• How are these core competencies demonstrated in industry certifications, vendor partner levels, or 3^rd party audits (PCI-DSS, SOC2, Industry Service Provider Certifications, Cloud Security Alliance)?
• Does the Security Partner help you proactively prevent risks in your environment and helps you solve your problems from a mitigation standpoint vs. only alerting on potential issues?

Longevity:

• How long has the Security Services Partner been in business?
• Is there any risk of insolvency or lack of ability to meet SLA’s due to retention, staffing, or longevity concerns?
• Does the Security Services Partner maintain an adequate level of U.S. dedicated employees and overall staffing to meet varied demands?

Unknown Financial or Legal Issues?

• Have you researched them from a D&B, legal entity, and outstanding claims perspective?
• Does the Security Partner have any outstanding litigation or legal judgments against it or any of its current staff?
• Is there any negative press or exposure from past engagements and how they were handled?

Unforeseen Delivery Issues?

• Based on the industry, regulatory and oversight bodies that the Consultancy is engaged with (PCI-SSC, ISO, FedRamp, HHS), is the Security Partner in remediation or under review for any gaps in quality, consistency, or have any open findings that have not been addressed?
• Is there any feedback on industry platforms or social media that offer positive or negative feedback related to what it’s like to work with the Security Partner?

Leadership Team and Staff Experience:

• Does the leadership team include a diverse background, base of experience, and a cross-industry perspective that strengthens the Security Partner’s services?
• Is there a comprehensive and progressive set of services that leverages this Leadership experience base?
• Does the staff have up-to-date and relevant certifications, experience, and credentials (PCI QSA, CISSP’s, GIAC, GPEN, SANS, etc.) leveraging decades of experience?
• Can the staff offer incident advisory planning (policy, procedures, tabletops) and incident response mitigation support in addition to alert notifications of unusual or abnormal activity?
• Can the Partner provide an extension of virtual, ad hoc, or dedicated Security Leadership to your organization based on your strategic and tactical needs?

Company Ownership:

• What does the ownership of the company look like?
• Private, Public, or Venture Capital funded?
• How does this benefit what you can offer from a services standpoint or limit or constrain what can be offered?
• Does this ownership affect the ability of the Partner to be independent?

A Balanced Perspective?

• How does the Security Partner provide a balanced approach in focusing on higher-level work across strategy, governance, planning, policies, procedures, guidelines, workflows vs. more tactical capabilities from technical prevention, detection, monitoring, response, and recovery capability standpoint?
• Does the partner offer a holistic approach to proactively test environments, identify the highest risk vulnerabilities and offer full remediation advisory services to address identified risks?
• Does the Partner work with modern integrated architectures and modern cloud delivery models?
• Does the partner actively manage client communication, project timelines, and client deliverables?

Relevant References:

• What references are available that relate to your companies’ size, scale, and complexity and how has the Security Partner helped reduce risks and cyber exposure for similar companies?
• Do those references support the Security Partner’s ability to provide a clear and consistent set of deliverables and SLA’s, communicate quickly and effectively for any identified issues or threats, provided vertical-specific expertise, integrate with your ticketing and workflow solutions, and support any automation and API needs for efficiency?

Demonstrated Expertise:

• What relevant stories are available, or case studies published where the Security Partner has demonstrated an ability to address your unique vertical challenges (operating constraints, seasonal demands, protecting your revenue models, monitoring challenges, regulatory or compliance requirements).
• Making sure you know what your company needs from your Security Partner will properly inform the discussion and help you ensure you can select the right Partner that delivers timely, relevant, and cost-effective services.