How to Evaluate Cybersecurity Vendor partner?

Praveen Yeleswarapu
July 12, 2023

The Challenge:

The cybersecurity landscape is flooded with over 7000+ vendors, each offering their own solution for establishing a cyber resilience program. However, this has led to a fragmented ecosystem, with solutions implemented in isolation, resulting in inefficiency and lack of synergy. Despite tall claims of unified solutions, the reality often falls short, with bolt-on solutions failing to bring significant change. Customers have paid a heavy price, experiencing the impacts of ransomware attacks on their operations and reputation. Siloed cybersecurity programs have proven to be costly and detrimental in the past.

a) Expertise and Specialisation:

In the realm of cybersecurity, it is not uncommon for multiple vendors to claim deep expertise in a wide array of services and solutions covering all domains of cybersecurity. However, it is important to approach such claims with caution and carefully evaluate the capabilities of each vendor. Instead of relying on vendors that claim expertise across the board, it is advisable to identify vendors that possess in-depth knowledge and specialization in specific sub-domains of cybersecurity.

b) Flexibility and Scalability

In the cybersecurity landscape, it is vital to acknowledge that no two organizations in the same industry vertical are identical. Each organization possesses unique cultural traits and distinct goals. Therefore, it becomes crucial to choose a flexible vendor that can align with your organization's operational style, requirements and the threat landscape the industry vertical brings in. At the same time, the selected vendor should demonstrate the ability to adapt, scale, and enhance their expertise and technology platforms to effectively meet evolving challenges and achieve desired business outcomes. Flexibility is essential to ensure that your vendor can accommodate current, new technologies, industry regulations which you'll have to adapt in managing risks associated with emerging threat landscape.

c) Align to Business outcomes

In order to minimize damage, it is crucial to detect and respond to vulnerabilities and threats. In today's digital era, cybersecurity risks, such as ransomware, are inevitable. Look for a cybersecurity partner that offers proactive solutions and a dedicated support team. Prioritize a contract that emphasizes timely risk detection and swift response. Additionally, establish an effective process for calculating ROI, considering factors such as solution deployment time, risk coverage (including detection and response times), total cost of ownership, time investment, and potential business impact. Above all, ensure that you are not caught off guard by services that were promised earlier but now require additional investment that wasn't accounted for during budgeting.

d) Robust Proof of Concept aligning to your business needs

During Proof of Concept phase, it is crucial to go beyond standard use cases and prioritize the effectiveness of the solution. To achieve this, it is essential to create a test environment that is streamlined and focused on the key functionalities relevant to your business. Engage your vendor partner in this process and conduct comprehensive testing using automation to streamline efforts. If resources or expertise are lacking on your end, consider hiring an external consultant to assist in building, operating, and evaluating vendors on your behalf. Thorough evaluation will lead to smooth operations and a remarkable return on investment eventually!

e) Assess and mitigate technological risks with Vendor's solution:

Supply chain attacks pose one of the greatest risks to businesses today. We've witnessed the significant impact of breaches like Solarwinds & Kaseya on their respective customers. It is therefore crucial to thoroughly vet the technology and platforms that vendors deploy as part of their solutions, to mitigate potential cyber risks. Request operating system hardening reports, the latest vulnerability & penetration test reports from a reputable third-party agency. Evaluate their standard operating procedures for change management, data storage, and disaster recovery. Additionally, request the latest test reports for evaluation. Pay close attention to the access privileges vendors require to ensure the solution functions properly, and conduct a comprehensive risk assessment. Finally, verify industry body certifications such as ISO-27001.

f) Customer references:

When evaluating vendors, it is important not to hesitate in requesting customer references. These references should ideally have a comparable or larger user base and demonstrate revenue generation that is equivalent or greater than your overall year-on-year performance. It is crucial to engage with both decision-makers and those who are directly involved in day-to-day operations with the vendor under consideration. During customer reference calls, ensure that you thoroughly evaluate aspects pointed above, both quantitatively and qualitatively, by being specific and meticulous in your assessment.