Cyber security should be a concern for any company, and especially small and mid-sized businesses (SMB). But this does not mean that those SMBs should turn to their value-added reseller (VAR) or managed IT service partners (MSP) for help. On the contrary, those partners have a clear motivation: Sell you more security tools and IT services, and Cyber Security is not about the hardware and software tools. Those companies who get 80% or 90% of their revenue from resale of vendor tools still must have the motivation to sell more tools in order to fund their new foray into security. With shrinking margins for reselling tools these companies are turning to managed services, including security. This does not make them security experts.
The good news is that the trend is for businesses to turn to a Managed Detection and Response (MDR) provider, which is a great way to reduce costs and risks and get a true security strategy in place. However, if that service is simply a “bolted-on” service that your long-time VAR or MSP is adding in order to capitalize on a hot market, you may be making a mistake. Security is a very deep and technical disciple and takes a clear focus to get right. Spinning up a SEIM tool, collecting logs and installing Anti-virus on your endpoints is not complete security.
Another trend for VARs is to resell or use an MSSP white-labeled service under their logo. This may be a good service from the partner MSSP, but the VAR will typically struggle to add necessary security expertise and security process for a service they may not know a lot about. They may also use security monitoring to position specific hardware they want to sell you to provide the service. In fact, that hardware may be a good control and worth the price, but it needs to be assessed from a risk point of view, not a vendor. Do not get your security strategy from a security product vendor. When you sell hammers, everything looks like a nail.
So, what should you look for when your business needs help with cyber security and you want to keep costs down, risks under control and need a true security partner that focuses on your business and not their bottom line? Here is a quick list to start:
• Pick an MDR partner that provides cyber security only, and that is their sole focus.
• Pick an Independent MSSP/MDR provider that does not sell any hardware or software tools. They will have your interests in mind when recommending controls and tools you may need.
• Use an MDR partner that treats cyber security as a Business Risk, not just a technical one. It is not about the tools. Make sure risk management is part of the MDR service.
• Use an MDR partner that does gap and risk assessments, tied to industry standards, not just glass watching.
• Use a “high touch” MDR partner. Just getting alerts thrown over to you by email is not effective. You need a true security firm that will be your vCISO advisor.
If your SMB needs some help with cyber security then get an MDR service that includes people, process, technology and risk management. Tools will change, and actually this is one of the reasons you want to consider outsourcing your security to an independent MDR partner, so that you get best of breed coverage that you may not be able to afford otherwise. Don’t jump into security services because of a provider’s appliance, firewall, tool or software. Jump in for the right reason, to enable your business. Beware of a VAR in MSSP clothing. You will be glad you did.