As the cybersecurity market grows, it has become increasingly difficult for managed service providers to assess the value of third-party vendors. Typically, MSPs must now assess hundreds of different products, even within a fair niche product category, and each with different features and price points. In this article, we’ll take a look at a basic set of practices for assessing different cybersecurity vendors for MSPs, and show you how to get the most out of your interactions with them.
By far the most important first step in assessing vendors is to decide which functions you need to outsource, and which can be better done in-house.
Some functions, like legal services, have long been outsourced, and this remains the best approach for most MSPs.
Today, there are also cybersecurity vendors for a huge variety of different functions; solutions exist for hardening your backup systems, improving the security of your OS, and even Dark Web monitoring. In this context, it is critical that you decide exactly what you need from a cybersecurity vendor, and have a clear idea of how contracting their services is going to improve your profitability.
As Charles Weaver, CEO of the MSPAlliance (a managed services industry association based out of Chapel Hill, N.C.) puts it: "If the MSP doesn't have that internal [cybersecurity] experience, then identifying what they need first is a must prior to initiating communication with any security vendor.”
How To Assess Vendors
Ideally, the way that MSPs assess cybersecurity vendors should be through a rigorous and repeatable assessment process. The MSPAlliance's MSP Verify certification requires MSPs to have a vendor assessment policy that itemizes all the vendors the MSP uses, what level of risk they bring to the MSP, and what steps the MSP has taken to validate the credentials of the vendor. This is a great place to start when developing an assessment process.
Unfortunately, at the moment – given the lack of industry-wide comparable metrics on the performance of cybersecurity vendors – many MSPs will have to rely on the reputation of the vendors they are considering. Given that complex networks are getting harder to secure, says Jeff Hoffman, president of Chicago-based ACT Network Solutions, "reputation is about the only way you can really separate out the new guys that are constantly popping up with their version of the greatest idea.” It’s no surprise, then, that businesses now spend roughly 7-8% of their gross annual revenue just on protecting their online reputation.
This said, there are some tools for assessing cybersecurity vendors that have been produced by industry groups, and these can be extremely useful in providing a systematic framework. One of these is the Cloud Security Alliance's Consensus Assessment Initiative Questionnaire. This tool contains an industry-standard list of questions that you can put to any potential vendor, and even provides a scoring system that allows you to rank prospective providers across a number of key metrics.
Beyond looking at the key features that a vendor can offer you, and assessing how outsourcing these processes will affect your bottom line, there are two further issues to look at.
The first of these is the question of accountability. Security breaches and malware infections can be hugely expensive, and only the best online backup vendors are willing to take responsibility for them. Ideally, you should be able to agree with your vendor what will happen if their products fail, and this should include any monetary compensation that they will pay you in this case.
The second issue, and one that is often overlooked, is the security of the vendors themselves. It might sound strange to assess a cybersecurity company on the basis of their OWN cybersecurity, but in some cases companies who promise to make your security stronger have not applied the same standards to themselves. Outsourcing SQL database administration is one of the leading causes of MySQL password leaks, a breach which can take weeks or months to recover from.
As Eric Foster, COO of Cyderes (the security-as-a-service division of Fishtech Group, based in Kansas City, Mo.) puts it: "I've been in the industry for a long time, and it's all too common to have a 'cobbler's children' scenario where, ‘Our company makes cybersecurity products, but we have no cybersecurity internally.’”
Further reading MSP Software and Hardware Tools
Questions To Ask
The recent Capital One hack is an example of how issues with communication between companies and their vendors can lead to catastrophic damage to a company's infrastructure. The major learning point from this hack is that the selection of a vendor is not a one-off event. Rather, it should be viewed as a process. Rather than buying privacy tools off-the-shelf, you should see your interaction with your cybersecurity vendor as a mutually beneficial business partnership.
The key to building this kind of partnership is to know when to question your cybersecurity vendor, and what about. There are a couple of key trends in the cybersecurity industry – the growth of 5G networks and the rise of the Software as a Service (SaaS) model – that will have major impacts on the way that cybersecurity vendors work in the coming decade. Any vendor worth their salt will be able to tell you how they are preparing to meet these challenges.
As Foster explains, these are key questions to ask because they relate directly to the sustainability of your business in the medium term. They are important because they are about "real-world customers and real-world use cases ... there's a lot of people and solutions that look really good on paper, but when it comes to actual implementation … there's no comparison."
The Bottom Line
Despite the number of cybersecurity vendors out there and the range of products they offer, you should not feel intimidated when it comes to choosing one. Ultimately, what you are looking for in a vendor are the same features you would expect in any business partner: a responsible approach to managing risk and taking responsibility for it, and a willingness to work with your MSP to tackle emerging issues.
As long as you go into the process with a clear plan of what you want from a vendor, and a similarly clear plan of how this is going to affect your bottom line, everything else is a negotiation.