Society has changed in the last year, and the same goes for the way we work. This leads to new security challenges, or as hackers say, new opportunities. Even without this change, we know that security threats can be complicated. They are dynamic, and they demand the defensive line being alert at all times.
More and more companies are realizing that this is difficult, if not impossible, for the internal IT department. Therefore, they purchase security services from manufacturers or local IT vendors who sell it as a service. But have you remembered to check whether the supplier himself has the security in order? Or do you take it for granted that security capabilities and processes are in place?
From the public and larger private companies, we see that it has become more common to ask whether the supplier has a management system for information security, whether they are ISO27001 certified, or whether they have routines for incident handling and so on. But is this done to the same extent in smaller companies? Probably not.
What should one do when procuring a security service?
A good place to start is at the Norwegian National Security Authority (NSM), or your country’s security authority. In their “Basic Principles for ICT Security”, they have compiled a list of ten basic controls that should be examined. You should carry out these checks regardless of what service the provider offers. Does your vendor:
- Have an established management system for information sharing and possible certification in accordance with international standards, for example ISO / IEC 27001:2017
- Provide insight into the security architecture used to deliver the service
- Develop plans for future security functionality in the services in line with developments in technology and the threat picture over time
- Have an overview of who should have access to the company’s information, where and how this should be processed and stored, as well as the degree of mechanisms for segregation from other customers
- Have security functionality that satisfies the business’ needs
- Provide security monitoring to detect security incidents that may affect the business
- Have routines for incident handling and non-conformance and safety reporting
- Have crisis and contingency plans that are to harmonize with the company’s own plans
- Have approval procedures for the use of subcontractors and their use of subcontractors
- Have specified which activities are to be performed upon termination of the contract, including reversal / transfer / deletion of the company’s information
The challenge for customers is to evaluate the answers as this requires expertise. But everyone can evaluate the way the supplier responds. If there is a quick and clear answer back to all questions, it indicates that the supplier has things in order, while evasive answers indicate the opposite. This is of course far too simple and only gives an indication. I therefore recommend getting a knowledgeable resource to evaluate the answers from the suppliers.
How do I choose between several suppliers?
In addition to these requirements, it is of course also important to consider which type of supplier is right for your company. We recommend that you choose a supplier that matches the size of your business. This makes you important to your supplier and can lead to you being able to influence changes that make the service better suited for your company.
If your company is in the SMB segment, it is not certain that the largest security provider on the market has the opportunity or willingness to make such changes. Also, find out what is important to your potential supplier: can you be a reference, talk in a webinar, or the like? These are activities that can be important for a supplier.
Finally: if you are about to choose a security service, ask for a pilot or proof of concept! That way, you will find out if the supplier is right for you and if the service gives you the values you envisioned.