The 80/20 rule of working with information security companies is to choose the one that matches your business and style, not one you found on a list of “top 10 information security companies”. This ensures you will spend the least effort and get the most benefits you can. This article will give you all the tools and techniques to select the right one.
What are information security companies?
Information security companies are the ones who help businesses become and stay secure. They may sell information security products or services, provide consulting or audits or resell products for a margin of each sale. The third type is the one you may wish to avoid.
What are the differences between information security companies?
The main difference between information security companies is their primary business objective. There are three main business objectives for information security companies:
- To sell their information security software
- To deliver information security services
- To sell somebody else’s information security software
The main issue for smaller businesses of up to 500 employees is that owners do not know which software to buy and why. They also do not know how to choose the right information security product among thousands on the market and are easily swayed by the information security companies’ sales into making a wrong decision. Do you even need to buy anything when you don’t have any defensive processes in place?
Then there are the information security companies offering services.
Who might need the services of an information security company?
Larger businesses have an internal information security team. That team decides which information security software to buy and from which vendor based on testing and validating their various products.
Smaller businesses do not have the luxury of having their information security team and rely on an information security company to help them properly select tools and services.
If you are a small business, then you most likely need to work with an information security company to:
- See where you are in terms of your current defenses
- Discover all vulnerabilities in your IT practices and infrastructure
- Prioritize the vulnerability remediation actions based on your business objectives
- Plan for remediating the most urgent vulnerabilities found
- Start building your defenses in Prevention, Detection, and Response
- Validate the work done
- Eventually, you might need to look for a virtual CISO to help you with your long-term defense plans.
What types of information security companies are there?
There are three main types of information security companies, as listed previously. But even they have dozens of sub-types. For example, the information security companies offering services might be offering defensive or offensive services. You would generally need to work with a defensive company first. Then, when your defenses are ready, you may try the assistance of an offensive firm to try and bypass any defensive measures in place. Without testing your protection, you may never know if they are effective or not.
Information security companies offering defensive services:
- Audit companies: ISO 27001, CMMC, SOC 2, NIST 800-53. An audit is a necessary first step before you start working with any information security company. Otherwise, you will have no frame of reference or plan and will end up with a chaotic list of defenses.
- Consulting companies: helping you prepare for official certification, build practical and efficient defenses or solve a specific problem. They usually combine decades of experience and can help you solve a cybersecurity challenge quickly and efficiently.
- Highly specialized: focusing on specific fields: nuclear, financial, legal, and others. If your business field requires specific security skills, you should work with a specialized information security company. Generalists cannot work well in the nuclear energy field, for example.
- Resellers: avoid them. Their motivation is to sell the highest ticket, not the most efficient or beneficial to you.
Information security companies offering offensive services:
- Companies providing penetration testing and attack simulation services:
- API penetration testing
- Web application penetration testing
- Full-scale penetration testing of your entire infrastructure
- Companies offering social engineering attack simulation services
- Phishing simulation services
- Social engineering simulation services
- Physical security attack simulation services
What’s the difference between information security companies and security software vendors?
Problems and solutions
Which problems do information security companies solve?
The more your business grows, the more complex and vulnerable your IT infrastructure becomes. You add new services, new servers, computers, devices, people, cloud services, and all of them add new weak elements. The more vulnerabilities your business has, the easier it would be for hackers to get in. If they do, they can steal your clients’ data, extort you and your clients, redirect money from your bank accounts. All these problems are preventable with the help of the right information security company.
- Unprotected cloud services: If you use Google Workspaces or Microsoft 365 services, the chances are that only 2% to 5% of all their security settings have been set correctly.
- Unprotected endpoints: if a computer has just an antivirus protecting it, it is unprotected. Antivirus is just one of more than 450 settings a laptop needs to be considered secure. Think about it: the operating system has hundreds of settings, the Office suite – too. Your browsers have dozens of security settings that are usually left unchecked, and so on.
- Unprotected accounts: email accounts, cloud service accounts, local system accounts, and service accounts all need tailoring and careful protection.
An information security company should be aware of all of them – that is why you should always go through an audit before proceeding with any fixes.
How do you manage projects when working with an information security company?
Security projects could be days or months long. Using proper project management techniques would increase their likelihood of success.
- Always start every new business project by involving your information security company in it.
- Be sure to get a sign-off of approval from your security company before your projects go live.
- Use kanban as a project management system – we have found it to be the most effective project management tool in working with companies of various sizes.
What are the pitfalls of budget spending when working with an information security company?
There are three parts of every information security budget:
- The budget for your team: salaries, training, tools
- The price of working with an information security company
- The price of the tools and software you need to maintain an effective defense. In other words, an effective Information security Program.
Let us presume you have 500 employees and one information security engineer. You outsource your CISO role to a Virtual CISO, and you need to buy tools and software to enable your Prevention, Detection, and Response functions.
On average, you would be paying around $6000-$8000 per month for the information security engineer, add to that the taxes and other government expenses of a full-time employee, your cost would be around $10 000 per month for that one security engineer, or $120 000 per year.
The Virtual CISO for a company of this size would cost around the same, so we add another $120 000 per year.
Then, you would need:
- Endpoint security: EDR or XDR, around $12 per machine, times 500 – $6000 per year
- SIEM: presuming you have around 30 servers and 20 cloud services used by your 500 employees, your spending would be about $30 000 per year at the absolute minimum.
- Response and investigation tools: depending on the operating systems in use and your investigative capabilities, you may end up spending around $5000 per year on licenses.
So far, for a 500 employee company, the average expenses for an adequate Information Security Program would be around $281 000 per year.
It sounds like a lot of money, doesn’t it?
Now let us do some math in reverse.
281 000 / 500 / 12 = $46.83 per employee per month to ensure that this employee and all data they operate with are safe. This one employee probably drinks coffee for about as much, if not more.
Does it still sound like a significant investment?
Now consider this. If you have 500 employees, you probably have dozens if not hundreds of customers, each trusting you with precious data. Just one breach could expose all the data of all your customers and all your employees.
Risks to your information security budget:
- not checking your security company’s neutrality: they could be recommending software because of their ties with the vendors, not for the software’s value and benefits. Cost: the price of the licenses.
- Hiring the wrong security engineer: you could end up hiring and firing multiple people in a year without actually having a security engineer while you pay them a salary. How to avoid it: trust your information security company to help you find the right person for your business and demands. Cost: $120K
- Hiring the wrong Virtual CISO by hiring the wrong security company: well, if you read this article, you should have more than enough data to choose the right one. Cost: $120K
How do you select the right information security company for you?
Selecting a partner to work with is a process you have followed before, but it is easier when searching in a field you know well. Information security is likely a field entirely foreign for most business owners. That is why we have prepared a brief list of rules to follow when selecting among the thousands of information security companies out there.
Your responsibility is equally as important as that of the information security companies you work with.
These are the areas you may wish to pay more attention to:
- Always clarify your requirements in advance, in as many details as you can. If you need help with this, ask the information security company to help you draft your requirements before they accept working on them.
- Expect a mountain of work coming in from the security company to your IT team. Your team is already busy, so you might consider adding more people to it.
- The money you pay to the information security company is negligible compared to what you will have to spend in man-hours and money to transform your entire company into a secure, resilient business. It is one thing to sell at a market and an entirely different thing building a fortress around that market. Be sure to assign and commit enough resources to become secure. Otherwise, everyone will just become exhausted and quit.
- Communication and Diplomacy are key. While every team and business process in your company transforms, people will undoubtedly resist the change. They will even sabotage the changes and cause failures on purpose to prove that security is not a good idea. All because people dislike change. Prepare them in advance for what is to come and support them in the struggle towards change.
- Grant the security company enough authority to implement any change. This means that they should operate with the authority of the CEO of your company. It sounds scary, but imagine if any manager in your business can act as a bottleneck or outright stop the security project? Do not allow this to happen.
- Security is a marathon, not a sprint. Even if you only need a couple of months of work due to your company’s small size, hackers will keep trying to get in via various and increasingly sophisticated methods. If you don’t have the support of an information security company to improve your defensive measures consistently, the hackers will succeed in making you their victim.
Good information security companies already know their responsibilities – be sure to listen to how they approach your project and you during your first meeting and throughout the pre-sales process.
Signals of Success
What are the signals of a successful project with an information security company?
These are the signals of a potential success even before you start working with an information security company:
During the selection process, notice the signs of respect and attention to detail. Are they taking notes when you speak about your business? Are they asking questions? Always prefer to have a video call as your first contact with the security company. Look at their facial expressions. Imagine working with this person for months or years. Would you want to? If yes, that is a signal of a potentially successful project.
How quickly do they respond to emails and questions?
You have not even started to work with a company, and it takes ages to get a reply over the phone or email. And that is during the pre-sales process! If you are having a hard time getting a hold of them, you will have even more significant troubles with that information security company in the future.
When do they start talking about money?
If they start asking you about your budget right away, that is all they care about. In this case, run. You are the one who should ask the money question first, not them.
When should I call an information security company?
You should call an information security company at the first sign that your clients would demand answers about your information security measures. You may also want to do so if you experience cyberattacks, even if they are unsuccessful. An experienced hacker will try until they succeed to get in. Getting in is not their objective, though – making money by extorting you or stealing money from your bank accounts could be their final objective.
Call an information security company if you experience:
- Increased numbers of phishing emails with links to fake login pages, trying to steal your employees’ usernames and passwords
- Increased number of malware sent as attachments
- Customers start sending you security questionnaires
- Before an incoming government regulation that may require you to apply security best practices across your entire business
What questions should I ask during my first call with an information security company?
You may want to ask your service provider:
- How are you different from other information security companies?
- How do I know if you have the experience my business needs?
- How long would it take to protect our business from cybersecurity threats?
- How much should we expect to invest in software?
- How much should we spend on services?
- What is the process of working with you?
A note from Atlant Security
An estimated … billion is lost every year to hacking attacks and insider threats. Most people and businesses suffer from a hacking attack sooner or later. An information security company like ours can help you build your defenses and significantly lower the risk of hacking attacks. Then, when the hackers do attack, you will be ready, and your impact will be much lower than on your competitors who did not protect themselves.