How to choose a cybersecurity vendor: 12 key criteria

How to choose a cybersecurity vendor

Most cybersecurity experts Informa TechTarget interviewed recommended dividing vendor selection into two phases: First, shortlist three to five vendors based on a clear set of requirements, then narrow that list through a comprehensive evaluation.

Before approaching vendors, clarify your business needs and goals. This will help you target vendors with the right products and services and a track record of serving businesses like yours.

Shortlist your vendors: 7 steps

1. Start by identifying your organization's most critical data, systems and vulnerabilities. What are your biggest threats? What kind of data do you handle -- sensitive customer data, financial information, intellectual property?
2. Define your cybersecurity goals. Are you looking for a complete overhaul of your security posture, or do you need to address specific gaps such as endpoint protection, cloud security or incident response?
3. Look for vendors with a strong history of success with organizations similar to yours in size and industry.
4. Check that they have relevant cybersecurity certifications (e.g., ISO 27001, SOC 2, CISSP, GIAC) that demonstrate adherence to industry standards and expertise. Look for cybersecurity industry awards, third-party evaluations and analyst reports.
5. Choose vendors whose credentials meet your needs. For example, if you serve government clients, ensure the vendor adheres to the FedRAMP or similar standards. If you handle sensitive data, verify that vendors comply with standards like HIPAA for healthcare or PCI DSS for financial sectors.
6. Evaluate your budget. Consider results, rather than the popularity of a product or service, and determine how much you are willing and able to invest.
7. Rank your top three to five vendors in order of preference and move into a deeper evaluation of each vendor's track record, offerings and ongoing support capabilities.

Evaluating vendors: 5 key criteria with detailed checklists

Before selecting a cybersecurity vendor, conduct a thorough evaluation of its full capabilities. This includes assessing its track record, security posture, product effectiveness and pricing structure to ensure they align with your business needs and long-term goals.

Sample questions are provided below to guide your evaluation.

1. Vendor's track record and offerings

• Where is the vendor located? Does it have an international presence? How many team members are on its cybersecurity team?
• Does the vendor own updated certificates of insurance? The most important types include cyber liability insurance; professional liability insurance, for errors and omissions; and commercial general liability insurance, which covers items such as property damage and reputational harm.
• How do vendors ensure that employees are trained in cybersecurity best practices and are aware of potential threats?
• Ask for references from existing customers and read case studies. Check peer review sites, such as Gartner Peer Insights and G2, for independent feedback. Particularly look for reports on how many security incidents or compromises they've experienced in the last three years and how they responded to breaches.
• Evaluate the performance of the vendor's products in real-world scenarios. How would they help you contain the spread of an attack in a certain hypothetical situation without causing further disruption to other critical systems?
• Look for any reports demonstrating a disregard for client data, such as publishing information about a client engagement, selling their data or otherwise compromising client privacy.

Expert tip: MSPs should choose vendors with a broad product portfolio who independently obtain and manage their own software licenses, have multitenant management capabilities, and integrate with relevant tools for remote monitoring and management and professional services automation.

2. Vendor's security measures and incident response plan

Evaluate the vendor's security protocols, data handling practices and incident response plans to ensure it can protect your systems, detect threats and recover from breaches effectively. Here are some suggested questions:

• What specific security measures does a vendor's organization have in place to protect against cyberthreats and cyberattacks?
• Does the vendor conduct regular security assessments and audits to identify vulnerabilities and ensure compliance with industry standards?
• How does the vendor handle and secure sensitive data, including personal and financial information, and does it have documented restoration procedures?
• What is its incident response plan for cyberattacks or data breaches?
• Does the organization have a system to monitor and analyze network traffic for suspicious activity and potential threats?
• Does the vendor use encryption and other security measures to protect data in transit and at rest?
• Who has access to the vendor's data? Who owns its data? Does it sell its data? Will your team be granted regular operational access to the data center?

Deeper dive:

• If appropriate, does the vendor support single sign-on authentication?
• What's the vendor's commitment to fundamental email security best practices? Here's where you check into the company's habits regarding Domain-based Message Authentication, Reporting and Conformance, DomainKeys Identified Mail and Sender Policy Framework -- protocols commonly known as DMARC, DKIM and SPF, respectively.
• Can you get the vendor's software bill of materials to inspect it for known vulnerabilities?
• What does the vendor's System and Organization Controls 2 report say? A SOC 2 report provides an independent auditor's opinion on a service organization's controls related to security, availability, processing integrity, confidentiality and privacy of the data it processes and the systems it uses.

Expert tip: Cybersecurity threats evolve rapidly. Choose a vendor that invests in research and development; utilizes cutting-edge technologies, such as AI and machine learning; and has a clear roadmap for future enhancements.

3. Vendor's service and operations

Minimize potential risks associated with outsourcing by familiarizing yourself with external guidelines, such as the NIST standards or CIS Critical Security Controls, which will help you ask the right questions during vendor selection.

Look for a vendor with end-to-end service covering the following areas:

• Risk assessments and vulnerability management.
• Threat detection and prevention, such as firewalls, endpoint protection, SIEM and threat intelligence.
• Incident response and recovery.
• Security awareness training for your employees.
• Data protection, such as encryption, backup and disaster recovery.
• Cloud security.
• Network security.
• Third-party risk management.

Ensure the vendor offering can grow with your business and adapt to changing requirements without significant disruption.

Deeper dive:

• Verify the vendor's stated security controls, possibly through a Standardized Information Gathering questionnaire or a custom-based questionnaire tailored to the type of vendor and its offerings.
• Check if you can access the vendor's systems, infrastructure and managed data or services. Ensure you're granted complementary entitlement user entry control to its SOC report or similar document, such as a security addendum or a shared responsibility matrix that outlines its security controls.
• Check whether the vendor has configuration requirements, such as for firewalls, routers, servers and endpoints, as well as connectivity documentation for components such as communication ports. This should include a written record of how those configurations are implemented and how data flows between your environment and the vendor's. In the event of a breach, you want to be able to report on it quickly to disconnect from a compromised third party.

Expert tip: Check what allowlisting is necessary. Identify which specific, approved items -- such as IP addresses, URLs, applications or email senders -- need to be explicitly allowed through your security controls (e.g., firewalls, email filters, endpoint protection) to ensure the vendor's cybersecurity service functions correctly and securely.

4. Vendor's support and infrastructure compatibility

Choose a vendor that is open, transparent and communicates clearly. It should provide regular updates and be easy to reach. Questions could include the following:

• Is the service responsive and competent, with dedicated 24/7 support? Is the vendor approachable and transparent? Do you have an easy way to access representatives, not just through tickets or customer portals? Will you be invited to meetings on user concerns and needs?
• How does the vendor offer remote support, and does it meet your standards?

Deeper dive:

• Is the interface user-friendly? Will your team be able to manage and operate the vendor's systems effectively? Does the vendor provide adequate training?
• How well do the vendor's products integrate with your existing IT infrastructure, security tools and workflows?

Expert tip: Consider whether the vendor is financially sound and committed to the long term. How many features can it consolidate for you, and do its products and services deliver?

5. Vendor's contract

Too many vendors produce false positives. Many of these risks could be avoided by carefully reading the vendor's contract. Consider the following:

• Does the vendor have clearly defined contractual terms and service-level agreements (SLAs), including response times for incidents, processes for handling security breaches and the ability to help you recover quickly? The SLA defines the vendor's quality, availability, performance and responsiveness of the service, as well as its control requirements, by contract.
• Does the contract stipulate that the vendor will provide regular reports, analytics and performance evaluations so you can monitor its effectiveness?
• Get a detailed breakdown of costs and understand the billing structure.
• Factor in not just the upfront cost but also ongoing maintenance, upgrades and support.

Deeper dive:

• See what the actual cost to implement and maintain the vendor's systems would look like. Some vendors reduce their quoted rate to win the business, only to make it back post-sale with added fees or other charges.
• It's best practice to reject add-ons, such as breach warranties and extra levels of support. Additionally, consider avoiding long-term contracts and those with excessive termination fees and/or with noncompete agreements that restrict your ability to work with other vendors.
• Distrust contracts with clauses that excessively limit the vendor's liability for breaches or service failures.
• Make sure your contract includes a breach notification clause requiring the vendor to provide 24-48 hours' notice of a breach, as well as a provision for a company representative to be available in case incidents need to be reported. Avoid vendors that do not offer 24/7 monitoring and proactive threat hunting.

Expert tip: Consider opting for the monthly pay-as-you-go business model and selecting a three-year commitment to hedge your bets. This approach allows for flexibility while providing some stability in pricing over the longer term.

In general, assessing cybersecurity vendors means systematically evaluating your own business capabilities and aligning them with the vendor's offerings, security policies, incident response readiness and overall reputation. Large, established players such as Cisco, Microsoft and Palo Alto Networks aren't necessarily better than smaller, specialized startups. Most importantly, focus on products and services that align with your actual requirements and provide real value to your organization.

Final thoughts on choosing a cybersecurity vendor

Start your vendor selection with a solid list of requirements. Rank them and evaluate at least three vendors in a proof of concept (PoC) against these requirements in a weighted manner. Include technical needs, such as integration, usability, training/support, vendor stability and financials, in your evaluation. Vet vendors by asking questions and verifying their claims.

As a sales engineer for a cybersecurity vendor told Informa TechTarget, "What I look for is the ability to talk to someone who understands the space, not just a sales rep. I require a POC in my own environment, a technical deep dive and compliance with SOC 2 Type 2. I also want a clear pricing model with no hidden costs."

Choosing the wrong vendor can lead to wasted spend and increased risk. But the right vendor can reduce your risk of breaches by over 50% and potentially save millions in downtime, legal fees and reputational damage.

Why is choosing a cybersecurity vendor so challenging?

In addition to the many thousands of vendors to choose from, the task of selecting the right cybersecurity partner is compounded by the following factors:

Download our free
template for a
cybersecurity vendor
evaluation here.

• Resource constraints. The top management at SMBs typically lack the in-house cybersecurity expertise to evaluate vendors properly. Their internal teams, meanwhile, are bogged down 24/7 by routine technical tasks, such as software inventory, patch management and user training, which prevents them from maintaining consistent threat management and incident response.
• Regulations. Compliance regulations, such as GDPR, HIPAA and SOC 2, are complex and constantly changing.
• Integration issues. Vendors' security systems must seamlessly integrate with the organization's IT infrastructure. Compatibility issues and insecure API connections can introduce new vulnerabilities.
• Product overload. The cybersecurity market is saturated with thousands of vendors across more than 75 different product categories with various overlaps -- firewall, antivirus and anti-spam, for example -- making it difficult to identify truly suitable candidates.
• Assessing vendor capability. It's hard to verify a vendor's real capabilities, especially its incident response, recovery speed and track record, when most offer similar software, support and third-party certifications. Marketing jargon obscures product features, and G2 ratings can't always be trusted.
• Lack of transparency. Organizations often lack full visibility into their vendors' security practices, particularly how vendors handle sensitive data or systems and how they manage their own supply chains (fourth-party risks).
• Pricing. Cybersecurity pricing can be complex, making it hard to understand the true cost and forecast annual security budgets.

Leah Zitter, Ph.D., is a seasoned writer and researcher on generative AI and cybersecurity, drawing on over a decade of experience in emerging technologies to deliver insights on innovation, applications and industry trends. She is a Certified Information Systems Security Professional (CISSP) from (ISC)2.