There are several thousand “cybersecurity” companies in the USA, and the number grows daily. Many are legitimate, but only target one aspect of cybersecurity—for example, a sole focus on traffic analysis or endpoint protection. Others are just trying to throw their hat into the ring by advertising some aspect of cybersecurity, when they are really selling something else, such as IT support. We’ve even seen advertisements for “cybersecurity” that are actually offering cloud hosting or compliance software.
How can non-technical decision-makers filter the noise and identify the right solution for their organization? The first step is to identify WHO to listen to and take advice from. Here are five points that will get you on track.
1. Trust is the Best Currency
There is nothing wrong with a vendor or partner wanting to win your business—as long as making money comes second to doing right by the client. A company is only as good as its team, so find a company that puts as much emphasis on the people they hire as on the technology they offer.
2. Weed Out the Bias
Software vendors and new tools are great, but never forget that a software provider is a biased source; they are selling their own software, so they cannot truly be objective about other product options. It’s fine to let them educate you about their product, but there is a difference between that and looking to them for recommendations on the right cybersecurity solution for your business. If you ask a pizza place where to get the best pizza in town, where do you think they’re going to send you? For that matter, if you ask a pizza place what you should have for dinner, what are they likely going to recommend?
Software vendors simply can’t be objective; every option they propose will include their own software. At SOCBOX, we don’t have our own software product. Instead, we discuss the pros and cons of various third-party software solutions and cybersecurity strategies with you to help figure out which is the best fit for your organization. The bottom line is that you need a trusted, truly objective resource that can help you make educated decisions.
3. Prevention vs. Response
This is critical for both technical and non-technical decision-makers to understand. Does your plan actively work to prevent cyberattacks? Does it include remediation assistance in case a breach does happen? Understanding whether different cybersecurity services fall into the prevention or response category will help you determine how much coverage your plan actually provides.
4. Security Assessments: Penetration Testing vs. Vulnerability Scanning
There are huge differences between types of security assessments. For example, some providers will run an automated vulnerability scanning tool, spit out a nice report and present that as a ‘security assessment’. Don’t get us wrong; vulnerability scanning can be useful, and sometimes it may be all you really need. But if you need a complete security assessment (and are paying for one), vulnerability scanning just doesn’t cut it.
A true security assessment will include penetration testing (both internal and external) to identify real risk and get an unbiased set of eyes on your environment. Security assessments might also include social engineering, as well as operational and policy audits. Look for a firm that specializes in cybersecurity and clearly explains the various parts of their security assessments.
5. Adopt the NIST Framework
Why do things the hard way when others have already laid the groundwork? The National Institute of Standards and Technology (NIST) cybersecurity framework has the breadth and rigor to provide a meaningful set of standards for companies to succeed in their cybersecurity efforts. Find a trusted partner that understands and has structured their business around the NIST framework.
Have questions? We are happy to be a trusted advisor, and we work to create a forum for open discussion of the pros and cons of various cybersecurity solutions. We also offer lunch-and-learns and workshops that help decision-makers create their own gap report on their organization’s cybersecurity strengths and weaknesses. You might be surprised to discover which areas of your security need more resources and which do not. Contact SOCBOX today or call 877-284-7789 for a free, no-pressure consultation.