Selecting an IT & Cybersecurity firm
In the digital age, small and medium-sized businesses (SMBs) are increasingly reliant on robust IT infrastructure and cybersecurity measures to safeguard their operations from cyber threats and ensure seamless connectivity. As these needs grow, partnering with a Managed Security Service Provider (MSSP) and an IT firm that manages email, computers, and internet access becomes crucial. However, vetting potential partners to find the right fit for your business can be challenging. This article offers actionable insights to help SMBs navigate this process effectively.
An introduction to outside firms that offer IT and cybersecurity support
Always remember that ultimately, you are responsible for the cyber readiness of your organization. You can outsource certain functions, like installing software updates, but you are accountable for setting the policies, building a cyber ready culture, and satisfying any privacy and security compliance obligations.
As the threat of cyber-attacks has escalated, so have the number and types of companies offering their assistance. It is a confusing market with overlapping service offerings and more acronyms than you can imagine.
One of the first decisions is whether you want to hire a trusted IT/cyber advisor to guide you through the process or wade through the vendors on your own. The idea of hiring a consultant to pick the right vendor(s) can seem like an added expense. However, it may be less expensive in the long run because they can ensure that you are getting the services you need at a fair price. Ultimately, you need to determine who to trust in order to get the help you need.
Here is a list of the types of companies you’ll encounter and a brief description.
Remember there will be some overlap in the types of service they provide.
- IT Consultant: Analogous to an IT handyman. Generally speaking, the IT Consultant helps prevent problems from occurring and fixes problems that do occur. They assist with setting up your network and/or WiFi, building and maintaining websites, recommending and installing software, setting up emails, setting up user accounts, creating and testing backups, and more.
- Managed Service Provider (MSP): MSPs are typically small firms that offer similar services to IT consultants. They often are certified installers or advisors of several hardware and software vendors. Some boutique MSPs say they specialize in cybersecurity, meaning their services would overlap to a greater extent with those of an MSSP.
- Managed Security Services Provider (MSSP): The MSSP will verify that the MSP is building and maintaining the network to maximize value and reduce risk since some MSPs and IT consultants have limited knowledge about cybersecurity technology or monitoring. MSSPs often perform activities like intrusion mapping, log checking, technology risk assessment, planning and consulting, compliance with policies, procedure development, user support, proactive security response, monitoring, and incident response.
- Virtual Chief Information Officer (vCIO): For businesses that may need a CIO within their workforce, vCIOs offer a way for you to outsource the function, similar to how you might outsource General Counsel or Chief Financial Officer functions. This approach tends to be for companies that are a little larger on the small to mid-size scale. vCIOs will manage, implement, and recommend products and services to improve your IT and security levels.
General cybersecurity credentials:
- CISSP – Certified Information Systems Security Professional: This is a broad, yet advanced certification that is widely applicable as it is not vendor-specific. It requires 5 years of experience to pursue it.
- CISM – Certified Information Security Manager: This requires 5 years of experience to pursue it and is very advanced. Those who who have obtained this credential typically manage security at the organizational level (e.g., CISOs).
- CompTIA Security+: A basic certification that provides a good basis to build on with other more advanced credentials.
Specialized credentials (depending on need):
- SANS - SANS offers a variety of technical certifications, divided into focus areas such as Cloud Security, Penetration Testing and Ethical Hacking, and Security Management, Legal and Audit. The SANS GIAC Security Essentials (GSEC) certification strikes a good balance of signaling that the credential-holder has a foundation of broadly applicable knowledge, as well as specific, technical skills.
- CISA – Certified Information Security Auditor: As the name suggests, this credential is intended for roles focused on auditing and compliance.
- CIPP – Certified Information Privacy Professional: This credential focuses on data privacy as it relates to legal and regulatory matters.
- CEH – Certified Ethical Hacker: This credential means the individual has learned how to think like a hacker, but use those skills to protect and prevent attacks, as opposed to penetrating a system with malicious intent.
Assessing Your Cybersecurity Needs
Before deciding on external support, it’s vital to conduct a thorough assessment of your cybersecurity posture:
- List the information and data that is most important to the success of your organization (e.g., customer information, confidential business information).
- List the computer hardware and software tools that are most important for running your organization (e.g., website, email, file storage, accounting system, databases).
- From the lists above, identify the top three to five items that would cause the most damage to your organization if they were unavailable, lost or stolen.
Let’s call these your crown jewels.
- Identify who has access to your crown jewels. Realistically determine how well protected they are and if you’re comfortable with the level of protection.
- If you can’t tell how well protected they are, you need to get outside support.
- If they need better protection, do you know what to do and are you able to get it done?
If not, you need to get outside support.
- Determine if there are any data protection, cybersecurity, or data privacy requirements from your customers or applicable federal or local laws and regulations
Deciding on External Support
- Understand Your Needs - Before embarking on the selection process, it's essential to clearly understand your business's specific IT and security needs. This understanding should encompass your current IT infrastructure, cybersecurity posture, compliance requirements, and future growth plans. Identifying these aspects will help you articulate your requirements to potential providers and evaluate their services against your needs.
- Look for Experience and Expertise - Experience and expertise are paramount when selecting an MSSP and IT firm. Look for providers with a proven track record of serving businesses similar to yours in size and industry. This relevance ensures they're familiar with the common challenges and compliance standards your business may face. Moreover, assess their technical expertise by exploring their certifications, the qualifications of their team, and their approach to ongoing education to keep abreast of evolving cyber threats and IT innovations.
- Assess Their Security Offerings - A comprehensive security strategy is essential for protecting your business from cyber threats. Evaluate potential MSSPs based on the breadth and depth of their security services, including but not limited to, endpoint protection, firewall management, intrusion detection, and response, as well as email and network security. Additionally, inquire about their ability to offer customized security plans tailored to your business's unique requirements.
- Evaluate Their Technology Stack - The effectiveness of an IT firm and MSSP is significantly influenced by the technology stack they employ. Assess the tools and technologies they use for security monitoring, threat detection, and incident response. Leading providers invest in advanced technologies, such as artificial intelligence (AI) and machine learning (ML), for proactive threat hunting and anomaly detection. Ensure their technology stack is not only robust but also compatible with your existing IT environment.
- Consider Their Response Capabilities - In the event of a security incident, the speed and effectiveness of the response can make a significant difference in mitigating damage. Discuss potential providers' incident response capabilities, including their response times, communication protocols, and recovery strategies. A reputable MSSP should offer 24/7 monitoring and support, ensuring swift action when needed.
- Review Their Compliance and Reporting - For businesses subject to regulatory standards, compliance management is a critical consideration. Evaluate how the MSSP and IT firm support compliance with relevant regulations, such as GDPR, HIPAA, or PCI-DSS. Additionally, assess their reporting mechanisms — regular, detailed reports are vital for transparency, allowing you to monitor security posture and compliance status effectively.
- Check References and Reviews - Before making a decision, seek references and check reviews from the provider's current and past clients. This feedback can offer invaluable insights into their reliability, customer service quality, and the real-world effectiveness of their security measures.
- Discuss Pricing and Contracts - Finally, transparent pricing and flexible contract terms are essential for a positive long-term partnership. Ensure you understand the pricing structure, what's included in the service package, and any potential additional costs. Flexible contracts that allow for adjustments as your business grows or your needs change are preferable.
Selecting the right MSSP and IT firm is a strategic decision that can significantly impact your business's operational efficiency and cybersecurity posture. By thoroughly vetting potential providers against these criteria, SMBs can establish a partnership that not only meets their current needs but also supports their growth and evolution in the digital landscape.
Managing the relationship with your outside cybersecurity support firm
Maintaining a strong relationship with your external cybersecurity provider is crucial for safeguarding your business in the digital age. Whether it's a small restaurant utilizing online ordering or an accounting firm relying on cloud-based solutions, your IT support or managed service provider (MSP) plays a pivotal role. Here’s how to ensure this partnership thrives:
- Prioritize the Relationship: Treat your cybersecurity provider as an essential partner, similar to your accountant or bank.
- Establish Open Communication: Create transparent channels for regular dialogue, crucial for navigating the ever-evolving landscape of technology and cybersecurity threats.
- First Year Foundation: The initial year is vital for building a lasting relationship. Avoid a set-and-forget mindset post-contract signing.
- Regular Check-ins: Schedule monthly meetings initially, then quarterly check-ins to discuss cybersecurity trends, your specific needs, and how the provider is mitigating risks for your business.
- Designate a Cyber Leader: Appoint an internal colleague to manage this relationship. Consider having them pursue relevant certifications, like the CRI Cyber Leader Certification.
- Review Responsibilities: Regularly confirm both parties are meeting their obligations. Utilize surveys and service utilization reports to evaluate your provider’s performance.
- Foster Trust and Understanding: Ensure there’s mutual comprehension of each other's values and operations. Establish personal connections to build trust.
- Effective Communication: Engage in consistent, two-way communication. Clear, non-technical explanations of services and threats should be the norm.
- Define Contact Points: Have clear, validated lines of communication with your provider, and ensure they know who to contact within your company.
- Be Proactive and Inquisitive: No question is too trivial. Encourage suggestions from your provider based on their experience with other clients.
- Clarify Boundaries: Understand the demarcation between customer and provider responsibilities, especially in cybersecurity matters.
The right external cybersecurity support can make a significant difference in protecting your business. By actively managing this relationship, setting clear expectations, and maintaining open lines of communication, you can enhance your cybersecurity posture and ensure your business remains resilient against digital threats.