As the cybersecurity market grows, it has become increasingly difficult for managed service providers to assess the value of third-party vendors. Typically, MSPs must now assess hundreds of different products, even within a fair niche product category, and each with different features and price points. In this article, we’ll take a look at a basic set of practices for assessing different cybersecurity vendors for MSPs, and show you how to get the most out of your interactions with them.
Introduction
By far the most important first step in assessing vendors is to decide which functions you need to outsource, and which can be better done in-house.
Some functions, like legal services, have long been outsourced, and this remains the best approach for most MSPs.
Today, there are also cybersecurity vendors for a huge variety of different functions; solutions exist for hardening your backup systems, improving the security of your OS, and even Dark Web monitoring. In this context, it is critical that you decide exactly what you need from a cybersecurity vendor, and have a clear idea of how contracting their services is going to improve your profitability.
ON-DEMAND WEBINAR
How To Assess Vendors
Ideally, the way that MSPs assess cybersecurity vendors should be through a rigorous and repeatable assessment process. The MSPAlliance's MSP Verify certification requires MSPs to have a vendor assessment policy that itemizes all the vendors the MSP uses, what level of risk they bring to the MSP, and what steps the MSP has taken to validate the credentials of the vendor. This is a great place to start when developing an assessment process.
This said, there are some tools for assessing cybersecurity vendors that have been produced by industry groups, and these can be extremely useful in providing a systematic framework. One of these is the Cloud Security Alliance's Consensus Assessment Initiative Questionnaire. This tool contains an industry-standard list of questions that you can put to any potential vendor, and even provides a scoring system that allows you to rank prospective providers across a number of key metrics.
Beyond looking at the key features that a vendor can offer you, and assessing how outsourcing these processes will affect your bottom line, there are two further issues to look at.
The first of these is the question of accountability. Security breaches and malware infections can be hugely expensive, and only the best online backup vendors are willing to take responsibility for them. Ideally, you should be able to agree with your vendor what will happen if their products fail, and this should include any monetary compensation that they will pay you in this case.
The second issue, and one that is often overlooked, is the security of the vendors themselves. It might sound strange to assess a cybersecurity company on the basis of their OWN cybersecurity, but in some cases companies who promise to make your security stronger have not applied the same standards to themselves. Outsourcing SQL database administration is one of the leading causes of MySQL password leaks, a breach which can take weeks or months to recover from.
Further reading Guide to Vendor Risk Assessment
Questions To Ask
Rather than buying privacy tools off-the-shelf, you should see your interaction with your cybersecurity vendor as a mutually beneficial business partnership.
The key to building this kind of partnership is to know when to question your cybersecurity vendor, and what about. There are a couple of key trends in the cybersecurity industry – the growth of 5G networks and the rise of the Software as a Service (SaaS) model – that will have major impacts on the way that cybersecurity vendors work in the coming decade. Any vendor worth their salt will be able to tell you how they are preparing to meet these challenges.
As Foster explains, these are key questions to ask because they relate directly to the sustainability of your business in the medium term. They are important because they are about "real-world customers and real-world use cases. There's a lot of people and solutions that look really good on paper, but when it comes to actual implementation, there's no comparison."
The Bottom Line
Despite the number of cybersecurity vendors out there and the range of products they offer, you should not feel intimidated when it comes to choosing one. Ultimately, what you are looking for in a vendor are the same features you would expect in any business partner: a responsible approach to managing risk and taking responsibility for it, and a willingness to work with your MSP to tackle emerging issues.
As long as you go into the process with a clear plan of what you want from a vendor, and a similarly clear plan of how this is going to affect your bottom line, everything else is a negotiation.