As we approach the end of the year, you may be doing some reflecting on your environment, stack, and vendor list. How have they been working for you in 2020? What could have gone better? What might need to change?
Whether you have a renewal upcoming or just need to better understand the value they bring, you may want to talk with your cybersecurity vendor about the year that was, and about the year ahead.
In this post, I offer some questions that can help you during these discussions, so that you better understand what your security partner (if it’s safe to call them that) is doing for you. These questions—and their answers—will also help you communicate your security partnerships to your business stakeholders, especially in the context of renewal or change to your cybersecurity mix in the coming year.I get questions like these about our solution all the time from prospective customers. As such, my focus is on equipping you to understand the specific outcomes that your vendors deliver, the value that you can derive from it, and how you can communicate that to your management team. I focus on growth and improvement over time because continuous improvement is one of our values at ActZero.
- “What would actually happen if I got hacked? What would I, or my staff, have to do?”
The first and most obvious question. It’s where the rubber meets the road. This question is about outcomes and contingencies and understanding where the provider ends and the customer begins. It is essential to know what you’re getting and what responsibilities are yours versus your providers - especially in a breach situation.
- “What actions are you taking when I get an alert from you?”
Instead of merely notifying you that something needs to be investigated, is your provider taking specific actions to stop or block something that could hurt you? Are they doing it 24/7?
Understanding your providers’ actions will help you assess the value they’re bringing in terms of outcomes and what is left for your team to manage internally. Are you responsible for patching? For response? For investigation? How quickly can you address them (...at 4am?) These answers have implications, not only for your value (e.g., efficiency, time to value, reduction of risk, etc.), but for your incident response plan (more on IR plans here from my colleague Adam Mansour).
- “Am I more secure this month than I was last month? How could I prove that to my management team?”
“Security improvement” isn’t always included with your service—this question gets to the heart of whether that’s the case. The “growth element.” Plus, the second part is about documentation. If, as an IT or security leader, you report on those outcomes, then you need to know whether your service delivers them and how it’s going. You could (should!) get answers about reporting, dashboards, meetings, and how the overall communication of the results works.
- “What kind of sources of truth are you relying on to protect my organization?”
To truly be protected from threats, you’d need rich context to factor into your analytics. This question, therefore, is about the depth of coverage. Be looking for answers that include multiple sources of truth. Look for protection based on EDR and network and threat feeds and AI-based decision-making and human-based threat hunts. Not all providers are created equal, and this question will help you understand the differences in offerings between providers
- “What kind of advisory services do you offer as part of your service?”
It’s great that your environment is being monitored, but say you want more specific information. Do you know where you stand relative to CIS Top 20? Or CMMC? Or NIST? Will your provider tell you? Is that included in your package, or is that an upsell? If you’re not interested in buying expensive consulting on top of your regular service, be sure to establish what advisory services are included and what are considered extras.
I wrote these questions with service providers in mind—specifically, MDR providers, MSSPs offering managed SIEM, EDR, Firewall, and a host of other solutions that are managed for you. If you’re still intent on building your own SOC, check out another post of ours on why that might not be the right path.
If you’d prefer to partner with a reliable threat detection and prevention service, then ActZero may be able to help. We offer incident response, managed detection and response, and virtual CISO services. Reach out today to learn ActZero's answer for each of these important questions.