Table of Content
- Introduction
- Few steps to be done before Choosing a Provider
- Importance to hire external vendor
- Approach
- Know your provider’s capability
- Project management
- Presentation
- Conclusion
Introduction
In last decade, companies and individuals have seen the real impact of cyber security threats from all industries and even related to government. Now we are into the new decade where companies have taken security seriously. This is where external vendors come into the picture because companies are looking for vendor’s support most of the time because they can’t rely on their internal team for all the customer’s requirement and as well as their security needs.
Nowadays choosing a right cyber security provider in the Information Security industry is arduous because there are so many start-ups to enterprise companies and their products to solutions in the market. Companies are looking for vendors who can give a cost-effective quality service and also the one who would meet their deadline which will help the companies for planning, managing and delivering the security.
Few steps to be done before Choosing a Provider
- Know what you need to improve
- Create a Policy to do cyber security program
- Good SPOC makes lot of difference
Importance to Hire External Vendor:
I have just listed few necessary things to look into the service provider
- Certified or Not ?
- Approach
- Know your provider’s capability
- How well they are equipped with:
- What they offer apart from services
- Project Management
- Presentation
- Get a sample report
- What else after reports
- Are they doing Research and development ?
- Conclusion
This is an elaborated form of the above mentioned steps which would help you in preparing yourself before Choosing a Provider
Know where you need to improve?
“When you know what you need, only then you’ll get what you want”
Identify the critical assets that require security Assessments which can be both internal and also external. External assets will be exposed to pubic and this can also be an easy target for hacker out there. This helps you to plan about the kind of protection that’s needed and the assets those are at risk? If you are not sure about scoping the assets, consult the service provider and check the possibilities that are needed for the assets protection. Decide and prepare the testing environment for isolating the end-users data.
Create a Policy to do cyber security program
When you decide to outsource the security, it is recommended to create a policy which helps to maintain your current organization’s security policies like password management, Data handling and access controls. These policies will help the vendors to manage those along with the services they are going to provide. It is recommended to host awareness training about cyber security to employees in general.
Good SPOC makes lot of difference
A good SPOC from both the client and service provider team is needed for all cyber security projects that can understand the requirements and can keep the service in right track. If SPOCs are not having the proper knowledge about service going to outsource/handle then it can impact the quality of the service.
Importance to Hire External Vendor:
- As per compliance requirements like ISO 27001, PCI:DSS, IRDA required external vendor reports.
- External audit can strengthen internal cyber-security Policy and process.
- Avoid Strategic failures on business decisions which can lead to Cyber-attacks or data breaches.
- Avoid Reputational/financial loss from data breaches/data loss.
Things to look into the service provider
We have highlighted few necessary things which would be useful for any companies while choosing the right providers.
Certified or Not?
When you’re looking for a service provider, make sure they are a recognized and authorized to perform the assessment. For example, Based on your requirements or to get a specific certification for auditing, the companies should have certification and it should also be an empanelled company for doing audit. In India, companies should be CERT-IN empanelled for auditing Government projects. They should have equipped people with desired certificates like PCI-DSS and ISO 27001, Offensive-security, EC-Council, etc. The team should be expertise in trending services like mobile app, cloud based audit and compliance.
Approach
It is always important to know the kind of approach they follow to perform security assessments or other services because it will impact the whole service and it’s quality to know whether they follow the industry standards or not. You have to make sure regarding the kind of tools they use, their testing techniques and the way they meet the testing coverage is very important.
Most of the providers do OWASP based testing but do you know how they test your applications for meeting the OWASP standard? Just check if they are doing the OWASP ASVS based testing and if they map vulnerabilities with OWASP TOP 10 only then you’re in the right track with the service provider, and don’t forget to ask them about the version they use.
Have you heard about Bug Hunting Methodologies which is commonly used for bug bounty programs by Real hacker to find real time risks?
These kind of approach is what :Thinking Out of Box” it is needed more nowadays because standards has a limit it is made for your applications and as a service provider they have to fine tune the techniques based on your application’s bushiness logic so these kind of knowledge is needed for your project if it goes for a long-term. Also try to know their other client’s experience with their feedback or testimonials from the website.
Know your provider’s capability
How well they are equipped with:
Your service provider should be equipped with required tools and technologies and also for embedded systems; IOT related audits should have hardware as well for required scopes. Your provider should have working disaster-recovery plans for avoiding the client’s data loss.
What they offer apart from services
A cyber security company shouldn’t focus only on services but also should educate the client as well. Vendors should have activities like threat analysis, updating on cyber-attacks and continuously making awareness about this information to the clients.
Project Management
As a client you may have a scope for On-demand based or continuous assessments requirement so based on that vendor should have a project management platform which should cover from on-boarding the client to completing the project and supporting them. A project management platform is essential nowadays and allows internal developers & security team to closely collaborate with vendor team to make clients life earlier. A project management platform should have the following feature such as:
- Identifying detailed security issues with recommendations as Real-time.
- Transparency in the project status.
- High quality and top standard report quality to present CXO.
- Client has freedom to generate report at any time.
- Integrated secure coding campaign for developers.
- Detailed reports for all re assessments with Track.
- Detailed issue track sheets with compliance mapping.
Presentation
Reports are the actual representative for any company which shows the quality of the services and how well they are capable of doing the service. We are not talking about the reports that are auto generated by the Scanners. But, companies are still giving those kinds of reports to the clients for VAPT and other services. Yet an automated vulnerability scan or assessment is not a true penetration test.
Have you ever approved your projects without knowing their report structure and have been disappointed by seeing those reports. If yes, then you’re not the only person who’ve got stuck
Have you seen any sample reports?
Getting a high quality reports is very important and it is also a great way to assess your vendor. A good report should have a detailed explanation about the vulnerabilities including detailed POCs, prioritization based on risk and an executive summary for management. Clear and concise recommendation instructions and remediation plan for fixing the vulnerability based on the priority will add worthiness and value for money rather than just delivering the service.
What else after reports
In this industry, so many security providers will disappear after the report delivery and when the clients come across any doubts in the report, it will be a big issue in contacting those service providers. From our experience, the clients will look for the support till the remediation phase of the service which would also add value to the service and makes clients happy.
Are they doing Research and development?
The vendor’s skill set should be updated inorder to meet the client’s requirement. You should make sure that your providers is having a separate team for R&D activates like releasing in-house tools, Frameworks and awareness about latest threats and attacks. These kind of activities making sure that how much importance they are giving for R&D and which makes you understand their capabilities.
Conclusion
Finally, in the journey of choosing a service provider we have seen few things that you should check with the vendors if they have it or not and there is one more magical Triangle CIA which is important and mandatory for every vendor to have. It is a fundamental thing for Information security. It is not only for the digital assets, but is also applicable for companies as well. As a client you have to expect the CIA from your vendor. They should maintain the Confidentiality of your data, Integrity on service and availability of the service. With these points in mind, it is up to you, on how you can further scale your business with leverage in cyber security.
