How to Properly Vet a Security Service Provider

Hewlett-Packard security specialist Tom Masucci outlines key criteria to consider when assessing providers. Hint: Be ready to talk risk tolerance.

Finding a security partner

With the number and complexity of security threats continuing to rise, it is no surprise companies increasingly are turning to third-party security service providers to help put up proper defenses. So how do you properly vet providers to ensure you pick one that is a good fit for your organization?

To find out, we spoke with Tom Masucci, Security Specialist at HP, about the questions chief information security officers ask HP before signing on for any of the HP Security Services.

Assessing a provider’s chops

First up is determining whether a provider really knows security inside and out – or merely talking a good game. Masucci turns the question on its head, saying it is incumbent on the provider to assess the customer.

“Experts in cybersecurity and credible service providers assess the current state of the customer environment, measure current technical and human capabilities, and establish executive risk tolerance prior to any recommendation,” he says. “Orchestrating secured workflow in concert with the business is more than security Xs and Os.”

Providers that fail to delve into such issues may be a “check-box” or one-size-fits-all service provider.

Startups vs. stalwarts

With so many companies to choose from, including startups, another issue is how to determine whether your chosen provider will be around for the long haul. There are a couple of ways to look at this issue.

“First, their track record and references are an indicator,” Masucci says. However, that does not mean startups are out of the question. “If they’re new to market but have a next-generation approach that’s aligned with your risk tolerance, that may be the best solution for you.”

In either case, the important thing is to continuously observe the provider’s performance, and maintain the flexibility to change vendors immediately, if warranted. “If security is important to the survival of your business, continuous monitoring of your provider is just as important as them monitoring your environment,” he says.

Think risk tolerance, not technology

When asked if there are any particular must-have technologies a security service provider should employ, or older ones to avoid, Masucci again returns to risk tolerance.

“What’s employed should reflect what’s most important to the business, what can’t go down, and that’s established through risk tolerance,” he said. “The requirements for a manufacturer that is dependent on availability of operational infrastructure are very different from a cloud-based content provider that is mostly concerned with preventing a data breach.”

HP and its partners have security covered

For its part, HP has a shared “go to market” with internal experts for assessing prospective customers and partners that share the same philosophy on risk tolerance. HP Security Services and its partners get to know their customers and understand their businesses for suitable strategies. Risk tolerance is key to their recommendations, which employ an array of solutions for advanced cloud, endpoint, and network infrastructure, as well as for older, more traditional environments. If there is a takeaway, it’s this: It’s important to know yourself, but when assuming responsibility for securing another’s enterprise, take the time and become your customer.

To learn more, check out the HP Security Services page.


Copyright © 2021 IDG Communications, Inc.