Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.
How to cut through cybersecurity’s marketing spin
The world of cybersecurity marketing is jam-packed with incredible claims, offers and silver bullets from providers of all stripes, shapes and sizes.
Some guarantee “premium protection” or the chance for your company to “grow with confidence”, others pepper their pitch with trending buzzwords and promises of dazzling new technologies. Choosing the partner that’s right for you is not easy – but asking the right questions will go a long way in helping you identify which providers are the best fit for your unique cybersecurity situation.
Why choosing the right cybersecurity provider is vital
There’s plenty of hype in cybersecurity marketing, but cyber threats are very real and growing. The Australian Cyber Security Centre received over 67,500 cybercrime reports in 2020, an increase of nearly 13 per cent from 2019, while self-reported losses from cybercrime went over $33 billion. Surveys show that in 2020, 64% of organisations in Australia and New Zealand experienced business disruption from ransomware, while 76% of companies said they were hurt by their lack of cyber preparedness.
In such a landscape, choosing the right cybersecurity partner is a pressing need, and cyber providers are well aware of it. Like any other professional services sector, you’re bound to come across some tried-and-trusted and reputable names, as well as some less-than-reputable providers. Some vendors will be quick to lean into your fears about cyber threats, but a good provider will take the time to consider your situation and security practices first, and only then make a proposal that works for your specific goals.
It can be a difficult space to navigate, especially for those less technically-inclined, but as with any partnership, you first have to be clear on what you want to achieve. Before you start flipping through brochures and poring over websites, spend some time thinking about what your organisation’s needs are. What are your current cyber capabilities like? What kind of budgets are you working with? What outcomes are you looking for?
First, know thyself
The best place to start asking questions is your own backyard. Does your cyber risk mostly come from external threats such as cyberattacks? Or are internal breaches more significant? Third parties such as cloud providers or suppliers will have access to some of your data, but may manage it to a very different cybersecurity standard. If you’re at risk of a partner breach, you may wish to source a provider specialising in third-party threat management.
Meanwhile, every industry has its own best practices. Oil and gas and healthcare will have a different set of priorities than threats to manufacturing. If your company operates globally you will have another set of frameworks to abide by. You might also have to take cybersecurity compliance requirements into account. If you’ve done the groundwork of separating your cybersecurity must-haves from good-to-haves, you’re already ahead of the game. Querying potential suppliers as to their expertise and track record in these areas will help you identify the specialists that can help you.
Do they have the scale, speed and experience you need?
The next step in cutting through marketing clutter is to assess the general offering of the cybersecurity companies you are considering. Can they handle your scale? Most companies have a maximum number of endpoints they can serve, while some providers will not work with companies under a given size.
Others may not be able to respond to incidents at the speed you require. Providers that are available 24/7 are a vital asset if you’re trying to identify and respond to a data leak before it becomes exploited by ransomware.
What’s their track record of serving organisations like yours? How long have they been in the market? Do they have a strong local presence? These may not necessarily be deal-breakers. Depending on your needs, it might make more sense to go with a newer, more agile partner, especially if they have expertise or capability you can’t find elsewhere. Understanding your own requirements is key: do you need all the bells and whistles a renowned full-service provider can offer, or would you be better served with a smaller, more specialised provider who focuses on serving a particular niche?
Probe their incident response plan
Speed isn’t the only factor in incident response. Any cybersecurity provider should be able to talk you through its incident response plan. This set of tools and procedures governs the way staff will help you detect and manage data leaks. An efficient, coordinated approach can substantially reduce the cost of any breach. Asking prospective partners about their plans, your direct contact in an emergency, any additional contingencies and support they offer can help you confirm whether you can trust the company in a crisis.
Ask about their security framework and certifications
Companies should be able to give you details on their security framework and certifications. Government bodies such as the ACSC and NCSC have collaborated with industry bodies to produce frameworks covering sectors such as energy and tools such as industrial control systems. The more questions you can ask the better, from the qualifications of their analysts to their compliance with data protection laws and regulatory bodies. Staying up-to-date and compliant with ever-changing cybersecurity standards is one of the hallmarks of a solid, reliable partner.
Does their culture sync up with yours?
Culture and chemistry is a big indicator of how well your two companies will get along. Ask about their way of working. Find out how they’re structured, what their priorities are and what makes them tick. For example, what’s their approach to threat intelligence? What role does it play in their decision making? Does they share their intelligence, or collaborate on any cybersecurity initiatives? Do the people on their team value business considerations as much as technical ones?
Ask about their views on trends or new government policies. Can they offer insights into areas that their firm is investing in, and why? These questions can help you ascertain how on top of current developments the provider is, as well as showing how open its communication is, and how interested it is in your specific concerns.
Dig beneath the headlines
Perhaps the most important question is one that cuts across every transaction in the world. Are current and former customers happy with the service they’ve received? Are there testimonials from companies similar to yours? Can you speak to any of the providers’ clients directly?
Other questions can help you dig even deeper:
Where do they store your information? Answers can help you understand their attitude to their clients’ data.
Do they use their own products to secure their data? If they don’t trust their cybersecurity solutions, why should you?
How have they responded to previous data breaches? Some companies may be understandably wary of discussing the times when defences slipped, but an organisation that’s prepared to own bad news, and explain how it responded, is one to take seriously.
What do they think is the most important solution they offer? Does it align with your wish list?
How do they interact with other software and technologies? Cyber is an increasingly interconnected sector, and if their tools won’t mesh with your existing systems you’ll need to know what steps they’ll take to bridge that.
Are they in it for the long-haul?
Choosing a cybersecurity partner is exactly that – choosing a partner. That means you want someone who has a history of established, enduring, positive business relationships with their customers. Whoever you choose, you should be able to envision a long-term, fruitful relationship with them. You will be trusting them with your most crucial data, so it is vital that they undertake that responsibility with the seriousness it deserves.
With the speed at which technology evolves, you might not always find one partner that can do it all, and that’s okay. As long as you’re clear on your own security goals, and are honest about your expectations, you should have no trouble zeroing in on the right cybersecurity partner for you.