There are roughly 11,000+ “cybersecurity” companies in the USA and growing. Many are legitimate but only target one aspect of cybersecurity – for example a sole focus on software tools. Others are trying to throw their hat into the ring and advertise some aspect of cybersecurity when they are really selling something completely unrelated, such as IT support. We have seen “cybersecurity” advertisements that secretly are only attempting to sell something completely unrelated such as cloud hosting or compliance software. Are you confused yet? I certainly understand as I even have to scratch my head at times. So how do non-technical decision makers filter the noise and identify exactly what the organization needs? To start, it is important to identify WHO to listen to and take advise from. Here are 5 points that will get you on track with filtering out the noise.
1. Trust should be the biggest currency when dealing with a vendor or partner.
There is nothing wrong with a vendor or partner wanting to win your business as long as making money is second to doing right by the client. Find a company that puts as much emphasis on the people they hire as the technology itself.
2. Avoid the One Trick Pony.
I love software vendors and new tools but I never forget that a software provider is a “one trick pony”. What do I mean by that? Well they are selling their software and they cannot truly be objective on other software options and methods. It is fine to allow them to educate you about their product but there is a difference between that and allowing them to educate you about cybersecurity options and practices. They cannot be objective as every option they propose will include the purchase of their software. Shameless plug for Freedom Security Alliance; many of our engagements directly discuss the pros and cons of various software solutions and cybersecurity strategies. Whether or not you do business with FSA is irrelevant, the point is valid, you need to have a trusted resource that can be objective on options so you can make good decisions.
3. Prevention vs Response.
This is critical for both nontechnical and technical decision makers to understand. Click here to learn about where each have their place.
4. Security Assessments: Penetration Testing vs Vulnerability Scanning.
When shopping Security Assessments there are huge differences between types of assessments. Do not be fooled by security assessments that are just dressed up vulnerability scanning reports. Some so called “service providers” will run an automated vulnerability scanning tool, spit out a nice report and present that as a security assessment. A true security assessment will include penetration testing (internal and external) because it identifies real risk and provides a third party unbiased set of eyes on the environment. Security Assessments could also include social engineering, operational, and policy audits as well. I would recommend using a firm that that specializes in cybersecurity, not a do “everything” managed service provider that also wants to take over your IT practice.
5. Adopt the NIST Framework.
Why do things the hard way when you can be shown the way by others? The National Institute of Standards and Technology cybersecurity framework has the breadth and rigor to provide a meaningful framework for companies to succeed in their cybersecurity efforts. Is the NIST Framework too time consuming to digest? Then find a trusted partner that is built on and understands the NIST Framework.
Have questions? You may contact FSA without pressure. We are happy to be a trusted advisor and can create a forum where we can discuss pros and cons of various cybersecurity solutions. Additionally, we offer lunch and learns and free workshops that will help decision makers create their own gap report on their organization’s cybersecurity strengths and weaknesses. The results will surprise you on which areas of cybersecurity do not need more resources and which ones do.