A very good standard for choosing MSS (managed security services) providers is described in the book “Surviving Security: How to Integrate People, Process, and Technology” by Amanda Andress (2003).
I will not repeat anything from that book as I recommend you to buy it – but there are other aspects which are not mentioned there.
Just as described previously on the topic of choosing a penetration testing company – the process to select a security vendor should be similar.
Try to arrange a pre-sales meeting and ask for the engineers who are supposed to be serving you to be present – not their best engineer but the ones who are supposed to work with you on a long term basis. This moment is very important – as what the sales team can describe is often not what you will get out of the box after paying.
The engineer should be able to answer most of your questions (just as they are supposed to solve your problems later on) without writing them down for a later follow-up. If they are not able to answer a question, they should give proper pointers and politely promise a follow-up. Ask for at least one resume of the people who are supposed to be providing professional services to you – the process should be as tough as in hiring your own team – as in fact you are doing just that, with the difference that the legal and financial dealing is with a company and not a person. The IT / infosec work will be with their engineers and you should assess them properly.
Have a list of requirements specific to your organization in advance.
Do not compromise on attitude and quality – a slight price difference in their favor is acceptable – but choosing a vendor just based on price is a very bad choice long-term. If the engineers are proud and / or arrogant on that first meeting you can be sure the situation will be much worse down the line – at the first sign of arrogance on their side cancel the meeting and move on to the next vendor.
Once again – make sure at least some employees of the vendor are active in the infosec community. Look how popular are their blog posts (on twitter and google) – if the vendor is not contributing anything but is only trying to sell there is a big chance their employees are not capable enough to be useful to the community – and probably are barely doing their job. Look for a different vendor if that is the case – there are thousands of small companies packed with qualified individuals – and finding them is your job. Good teams rarely have to proper marketing / sales teams to reach everyone. If you need security expertise in a specific technology – you can find your vendor on the reddit / google groups topics on it. Their twitter feed should be filled with helpful advice to people asking them for their advice and that is just one example. Finally, feel free to (anonymously) post your need on the same forum / reddit / twitter hashtags – someone might refer you to a good vendor / team. Trust the community!
Price negotiation
Open competition is the driver to a clean and fair market, where deals under the table are harmful to all. Be sure to have the approval of a vendor to share the average / not exact number of their offer with other vendors.
Base price expectations on the compliance % of different vendors to your requirements.
When building my list of requirements I usually used the Gartner detailed vendor comparisons per sector, adding all functionalities and features of all vendor offerings to an excel spreadsheet. Then I consolidated all overlapping features, assigned different weights to the features most important and built a matrix comparing vendors on their compliance with the features my company needed.
This matrix was then compared to the prices offered by all vendors – making the selection process quite straightforward and easy, especially for justifying the price to higher management.
