How to vet vendors' cybersecurity tools for MSP practices

How to vet cybersecurity vendors

When it comes to vetting a cybersecurity vendor, it is critical that the MSP have a due diligence checklist, Weaver said. For example, MSPAlliance's MSP Verify certification requires MSPs to have a vendor assessment policy that itemizes all the vendors the MSP uses, what level of risk they bring to the MSP and what steps the MSP has done to validate the credentials of the vendor.

Charles Weaver

"MSPs, to some degree, assume the risk of their vendors. Therefore, it's important the MSP does some due diligence when evaluating and onboarding new vendors, especially ones involving cybersecurity," Weaver said.

"Reputation is about the only way you can really separate out the new guys that are constantly popping up with their version of the greatest idea," observed Jeff Hoffman, president of Chicago-based ACT Network Solutions. "Truthfully, if I listened to every pitch I get on a day-to-day basis, I'd never get anything done." Every vendor is excited about their offering and having to take the time to really dig into each one of them and separate the wheat from the chaff is tough, he said.

Because there are thousands of cybersecurity vendors and navigating that space is very difficult, it's important to have an independent partner to help with the vetting process, said Eric Foster, COO of Cyderes, the security-as-a-service division of Fishtech Group, based in Kansas City, Mo.

"If a company reaches out to an individual cybersecurity vendor, most of the time, that vendor will have solutions they want to sell to the customer, which they think are the right fit," Foster said. Echoing Hoffman, he added that "you can literally spend a whole day as a CISO listening to pitches."

With an independent vendor, such as a reseller, there is more accountability for the success of a product, and they can help with the selection process and implementation and operation of that solution, "as opposed to an individual vendor, who, quite frankly and unfortunately, can sometimes be motivated to close a deal and not motivated to form a long-term relationship."

While it may sound obvious, it's also important to look at a vendor's own cybersecurity program, Foster said. "I've been in the industry a long time, and it's all too common to [have] a 'cobbler's children' scenario where, 'Our company makes cybersecurity products, but we have no cybersecurity internally.' I've literally seen that."

Foster recommended using a common consensus questionnaire. He said he's a big fan of the Cloud Security Alliance's Consensus Assessment Initiative Questionnaire. "You get a vetted industry-standard list of questions" to ask any service provider. Another is the Standardized Information Gathering questionnaire.

Jeff Hoffman

Hoffman said he tends to rely heavily on reports from market research firm Gartner as well as from his own experience dealing with products. "As we pick up customers … we find what works well and what doesn't work well. We do lot of research. If there's a new and exciting product out there, we'll dig into it; but there's so much noise you have to somehow close your ears … and focus on what other people are praising in the market."

Vendors are going to try locking you in as long as possible, Hoffman noted, adding that it's "a big turnoff. I'm looking for commitment to quality. If the conversation starts with, 'Our contract is five years,' I'm going to throw them out. I screen for how a [vendor] approaches me."

Hoffman said he prefers it when contract terms and price are not mentioned until he asks. And while "you still have to put people through testing," he added that "trust is everything to us. I need to know someone's going to be there if we have a problem and is not going to disappear into the weeds looking for another sucker like me."

Questions partners should ask vendors

Truthfully, if I listened to every pitch I get on a day-to-day basis, I'd never get anything done.

ACT Network focuses on the SMB space. Hoffman said he asks vendors for references, what the vendor's installed base numbers are and the size of the market their customers are in. He said there are very few products that transition well from large players down to small players.

"What's happening at General Motors doesn't really have any bearing for me because my clients can't afford that," he noted.

Hoffman said he also asks what security services the vendor provides in the areas ACT Network focuses. "We've studied our client market and there are eight key vulnerabilities to any organization," meaning entry or exit points that may be susceptible to a cyberattack, he said. "So, we pay particular attention to perimeter defenses: How do we keep people out who shouldn't be in" the network?

As a former CISO, Foster said one of the most important questions to ask a vendor is about "real-world customers and real-world use cases, because there's a lot of people and solutions that look really good on paper, but when it comes to actual implementation … there's no comparison."

He said he always preferred to talk a lot less about a product's theoretical capacity or capabilities to solving a problem in the field and more about what customers were solving with the product and their challenges.

Eric Foster

"I always invested in vendors who were very transparent and straightforward with me and would say that their product isn't a magic bullet," Foster said.

Additionally, partners should ask vendors about the implementation and operation of the technology, Foster noted. Salespeople often overlook this. While they may point out what a product is and does, they may not mention it will take two full-time people to get the full value. "So, looking beyond the upfront costs of hardware, software and licensing to the full operational impact to my organization" is critical, he emphasized.