There are many reasons why you’re considering using outsourced cyber security services. Perhaps you want to augment your internal IT team, it may have become evident that your current IT provider doesn’t have the security expertise that you need – or worse, you’ve experienced a cyber incident.
Whatever your situation, once you’ve decided to weigh your options, you need to be able to evaluate what each provider offers before you can pick the right one for your business. Unfortunately, it’s not going to be an apples-to-apples type of analysis because each provider has their own recipe for service delivery.
What you need are some talking points to guide your conversation. That’s exactly how this article can help you out as we cover the following questions that you can ask providers:
- Do you have experience with compliance frameworks?
- Will you provide a vCISO?
- Will you provide robust account management?
- How will your team and my IT team work together?
- Are you the right size for us?
- What cyber security certifications do you have?
- Is incident response included?
- Can you perform vulnerability assessments, pen tests, or gap analyses?
- What upfront investments might be required?
- What measures do you take to ensure that your own company is secure?
Let’s take a look at these 10 questions and the answers you can expect.
1. Do you have experience with compliance frameworks?
A compliance framework is a set of standards that form the building blocks of an effective security strategy. You may have a framework for your particular industry. For example, Cybersecurity Maturity Model Certification (CMMC) is applicable for Department of Defense suppliers. Other frameworks include NIST, HIPAA, PCI, and ISO, to name a few.
If you need to follow compliance, it makes sense that you’d want your outsourced cyber security provider to have experience with the framework you need to follow.
If you don’t have compliance needs, it’s still good to know that the company understands how to use different frameworks because it’s a sign that they’re experienced with building comprehensive cyber security strategies.
2. Will you provide a vCISO?
A Virtual Chief Information Security Officer (vCISO) is a leadership role that evaluates cyber risk and creates cyber security strategy. Guidance on drafting a strategy is essential because a security framework alone isn’t enough. There are different ways that security controls can be implemented, and the vCISO will provide guidance on how to do that based on your business.
The role of the vCISO is both strategic and tactical. They make sure that what you’re doing with security is up to date and that you’re making changes as new threats evolve.
3. Will you provide robust account management?
What you’re not looking for in an outsourced cyber security company is the installation of a bunch of tech tools and monitoring, and that’s it.
Instead, you want to make sure that the provider is interested in creating a relationship with you based on trust. There’s a lot of communication that goes into building a relationship.
What’s more, you should expect a lot of back and forth between your IT team and the security team. Healthy collaboration is needed to make sure that IT management and security avoid conflicts and work together for the benefit of both productivity and network safety.
🔎 Related: 17 Foundational Cyber Security Measures Businesses Need
4. How will your team and my IT team work together?
If you have an internal IT team, ask the provider to paint a picture of what collaboration will look like. How often will you meet? What reports can you expect? What’s the protocol for addressing issues?
Part of security is the establishment of best practices like keeping software patched and updated. This might overlap with IT management, and you can decide who’s going to take on that task. Some tasks will be more appropriate for the security team, but your IT team might want to maintain others.
🔎 Related: Can I Outsource Cyber Security and Keep Our Internal IT Team?
5. Are you the right size for us?
If you don’t fall into the cyber security company’s sweet spot for company size and industry, you may discover that you’re not getting the service level you expect. For example, if the provider specializes in helping enterprise-level organizations and you’re a small business, that’s probably not a good fit. You may have a low spot on their priority list.
Likewise, if the provider is too small, they may not be able to bring you all the expertise and services you need.
Ask for examples of their current clients to get the answer you need. If they can’t give you names because of confidentiality, ask how many clients they have and the breakdown as far as sizes and industries.
6. What cyber security certifications do you have?
When you ask about certifications, what you’re looking for is third-party validation that the company has proven processes for effective cyber security management. Even if the certification doesn’t apply to your particular industry, it’s still a signal of expertise.
For example, suppose the company is a Registered Provider Organization (RPO) for CMMC and you’re not a Department of Defense supplier. In that case, the certification tells you that the company is experienced in interpreting a security framework into an actionable security process.
7. Is incident response included?
No cyber security services company is going to guarantee that you’ll never have an intruder incident. In fact, if they DO tell you that, take them off your shortlist.
The truth is that threats are increasing, new vulnerabilities pop up, and people will continue to make mistakes and succumb to social engineering ploys.
You need to have incident response in your security strategy so that you can bounce back from an incident. As you talk about incident response, ask if they will actually lead the needed actions, how they’ll train your people, and how the plan will be tested.
8. Can you perform vulnerability assessments, penetration tests, or gap analyses?
A gap analysis is like a cyber security assessment. It’s meant to give you a snapshot of the extent of your security strategy at one point in time. The report that you get will depend on what your goal is for the analysis. For example, if you need to comply with CMMC, the report will reveal where you fall short of meeting the regulation.
A vulnerability assessment looks at your security controls from the inside to find weaknesses. A penetration (pen) test simulates what a cyber intruder would do to bypass your security. A customer, vendor, or cyber insurer may require you to have periodic tests like this as part of vulnerability management.
🔎 Related: Penetration Testing vs. Vulnerability Scanning: Which is Better?
9. What upfront investments might be required?
If you don’t start out with a cyber assessment, an outsourced cyber security company will do some initial discovery to find out about your current security posture. They may find some things that will need to be remedied by implementing best practices, like keeping software up to date. They also may find that some of your hardware needs to be refreshed, and that will mean a commitment to invest by you.
As they get deeper into your IT systems, they may find other vulnerabilities and have recommendations for updating hardware. Modern software and security tools will run better on modern hardware. Additionally, newer hardware has more built-in security capabilities. For example, a firewall could include Endpoint Detection and Response (EDR).
10. What measures do you take to make sure that your own company is secure?
The outsourced cyber security company is just as much a target for cyber criminals as you are. While you shouldn’t expect them to give you all the details of their security strategy, what you can listen for are the methods they’re using to validate their security stature.
In addition to looking for third-party validation, listen for information that tells you they’re testing their defenses with vulnerability scanning, phishing simulations, and cyber security awareness training. You can also ask who has access to their systems and how that access is controlled.
Now You’re Ready for the Cyber Security Conversation
During your conversations with outsourced cyber security companies, they’ll have their own talking points that they’ll want to cover. When you insert the questions that we’ve just covered into the conversation, they should help you form a more complete picture of the results you can expect.
🔎 Related: How Much Do Managed Cyber Security Services Cost?
Outsourced Cyber Security Services for California Companies
As a Managed Security Service Provider, we work with companies to augment their internal IT team with cyber security services, infrastructure management, and escalation, or act as their whole IT department. See what it’s like to work with us by scheduling a cyber security assessment and get the recommendations you need to fill security gaps right now.