With today’s landscape, managing cyber risk has become a top priority for businesses. However, choosing the right cybersecurity firm can be a daunting task. Over the last several years, the number of new companies in the cybersecurity space has increased dramatically, and not all are created equal. Before investing in these services, companies should conduct their own due diligence of potential candidates:
Understand the Threat Landscape
The most important place to start when choosing a vendor is to understand the threat landscape. Cybersecurity is no longer just an “IT problem,” and while business executives are not expected to have in-depth technical knowledge of the world of cybersecurity (after all, this is the reason for hiring a cybersecurity firm), they should familiarize themselves with common industry terms and have a general understanding of well-known security threats. This will enable decision-makers to have an informed discussion with vendor candidates and make appropriate business decisions in response.
Understanding the type of services offered and comparing it to your organization’s risk framework will enable you to select the vendor best suited to address your business needs.
Similarly, companies should be aware of the variety of cybersecurity services that exist, such as the subject security environment (e.g., network, endpoint, mobile, etc.), intrusion detection and prevention, forensics, and testing services. Understanding the type of services offered and comparing it to your organization’s risk framework will enable you to select the vendor best suited to address your business needs.
Research Vendor Candidates
Business executives should also be sure that they fully understand the business operations and capabilities of any potential cybersecurity vendor. There are numerous factors to consider, including:
-
The firm’s expertise in your business’s particular industry
-
Ability to customize or tailor services to your enterprise environment
-
Reputable (and verifiable) track record for assisting companies with cybersecurity services
-
Ability to adapt, react to, and address the evolving threat landscape
-
Types of services offered as compared to your business’s risk areas
-
Bandwidth and resources of the firm as compared to the size and scope of your business
-
Incident response capabilities
-
Availability and accessibility of key staff
-
Geographical considerations and limitations
-
Cybersecurity certifications and credentials of key professionals
-
Costs of services benchmarked against similar providers in the industry
-
The firm’s own policies, procedures, and framework for managing cybersecurity risk
-
Willingness to cooperate in the contracting phase and willingness to shift risk and accept responsibility for their product and/or service
As with any vendor, the weight given to each of the above criteria will vary depending upon the size, scope, complexity, and nature of your business.
Choose Your Vendor in Advance
The appropriate time to select a vendor is in advance of a cybersecurity incident. Businesses are at a severe disadvantage when they are forced to hastily retain a cybersecurity firm in the midst of an ongoing incident, as the ability to conduct the necessary due diligence is limited. Selecting the right cybersecurity vendor requires careful time and attention, and you should not rush through the process.
The appropriate time to select a vendor is in advance of a cybersecurity incident.
Affording your organization time to appropriately vet the candidates will ensure that you select a vendor that can best meet the needs of your business. It also gives your organization the opportunity to negotiate contractual protections in the terms of your agreement with the vendor. Finally, securing a cybersecurity vendor in advance allows the firm to become familiar with the unique details of your organization’s infrastructure, systems, process, and personnel, all of which will be critical in the event of a cyber-attack and 
will help streamline the incident response process.
While there are certainly innovative and quality new products and vendors in this area, the reputable and established vendors have earned such title for a reason and are always a good place to start.
Don’t Get Scammed
Before choosing a cybersecurity firm, companies should be fully aware that there are companies out there looking to take advantage of the market demand for cybersecurity services by using scare tactics. Because cybersecurity is the hot topic in today’s world, and data breaches are becoming increasingly prevalent, illegitimate companies will often attempt to intimidate companies into retaining their services by claiming they have identified a security flaw or vulnerability.
One methodology of these companies is to proactively scour the “dark web,” looking for information being sold, discussed, or transferred and then preemptively contacting an organization and stating that they have identified a security flaw—or in some cases, an ongoing data breach—and that their company can assist in rectifying the issue (for a fee, of course). We have even seen instances where these companies use punitive measures (such as going public with their findings) if the organization they approach is hesitant about engaging them.
These companies will use language to make organizations feel as though the issue is extremely urgent and often of a large magnitude, but they generally refuse to supply specific details about the vulnerability unless the organization pays them to do so. Business leaders should be skeptical of any such communication. These types of companies have recently come under scrutiny, with some reports that these organizations have gone as far as fabricating or even completely falsifying the alleged security flaws or information found.
Although the inherent nature of cybersecurity radiates urgency, businesses should not let this characteristic dictate the vendor selection process.
*
[Kaylee A. Cox is an associate in law firm Holland & Knight's Washington, D.C., office and a member of the firm's Data Privacy and Security team. Christopher G. Cwalina is partner in the firm's D.C. office and co-chair of the Data Privacy and Security team.]
