Managing cybersecurity vendors wasn’t the daunting task it is these days. Not too long ago, organizations were bound by a perimeter, and it was simpler to piece together a set of capabilities to stay safe and secure.
Businesses of all sizes followed a surefire formula that kept most of them safe.
With the introduction of the cloud and the push for digital transformation, everything changed. The perimeter has largely evaporated — companies rarely own their servers and entire teams are remote or distributed across the globe.
This has created a challenge, exacerbated by shadow IT and the ability for nearly any employee to spin up new services and infrastructure with minimal effort. This also means the attack surface of an organization has drastically changed.
With new ways to attack and more areas to defend, cybersecurity point solutions have popped up left and right, expanding an already seemingly saturated market. Large enterprises have mostly adapted by increasing spend, adding more bleeding edge technologies and hiring larger security teams, but SMEs haven’t had that luxury. They don’t have the budget, resources or know-how to scale their cybersecurity posture, let alone confidently select the right cybersecurity vendors or manage them appropriately.
This isn’t just a matter of filling the gaps or adapting to the challenge of securing an organization with no perimeter — the entire process of vendor selection can completely overwhelm a small business. Let’s look at the difficulties in more detail.
There seems to be a new cyber security startup every day, adding to the 3500 vendors already in the market. SME security leaders already suffer from FOMO and decision anxiety as they’re constantly bombarded with FUD (fear, uncertainty, and doubt) and countless marketing claims highlighting a vendor’s tech as being absolutely necessary to stay safe.
The abundance of buzzwords and acronyms such as XDR, MDR, EDR, SASE, SSE, CPSM and more only make it harder to know what’s required. Most SMEs just don’t have the time or the expertise to deftly navigate a cybersecurity market that deals in uncertainty and often relies on fear-based marketing.
This can lead to SMEs choosing the wrong vendor or believing they need a solution that won’t actually serve them effectively. You don’t want to end up with a vendor offering the latest and greatest tech, only for it to be a poor fit for your organization.
Remember the risk at hand and why you’re considering new vendors in the first place. How attacks fundamentally operate have not changed and all companies are at risk of facing similar attacks, whether you’re a Fortune 500 company or an up-and-coming startup.
Are you looking for vendors that will fill in major gaps in your existing cybersecurity stack (or serve as the start of one) or ones that will materially increase your security? Will you need a vendor that will help you detect lateral movement, or do you need an endpoint detection and response vendor?
The best way to identify what you need is to consider the kill chain. This will help you get a comprehensive understanding of what’s involved in an attack letting you see where you need more coverage and security. Once you know your gaps, you can more confidently seek the right vendors.
Once you’ve narrowed your choices down and have identified the kind of vendors you’re in the market for, you’re now ready to initiate the procurement process. However, this can be its own burden, especially for a small IT department. This process will require you to:
This is a tough balancing act where you’ll have to make the case for a vendor, manage expectations, set goals, and pre-empt any potential objections across multiple departments and stakeholders. On the vendor side, expect to communicate with multiple points of contact throughout this process as move forward with the procurement process with a given vendor.
If you’re in the market for multiple vendors in order to build a strong security posture, it can be an incredibly lengthy process for multiple parties and stakeholders, not just your cybersecurity team. The required efforts and resources can impact productivity and even your security as you try and build a suite of vendors that will protect you.
Once you’re ready to onboard a new technology you’ll need to work with IT, developers, your own security department, legal, finance, among other departments to make sure the implementation goes smoothly. Unfortunately, operational risks still exist during implementation and integration. If you run into a complication, you’ll need to navigate each vendor’s support process and then possibly move forward with a solution that may reduce the technology’s effectiveness.
You’ll also be responsible for ensuring the technology can integrate properly with your organization, and that they aren’t exposing you to unnecessary risk. If the roll-out of the new technology affects your employees, you’ll also have to plan out your communication strategy and provide any necessary training.
This entire process can take months depending on the stakeholders, impacted departments, budget involved, and how embedded the solution will be.
When considering multiple technologies from different vendors, this process balloons in complexity, straining all departments involved and moving out timelines to years before you’re truly cyber resilient. You don’t want to make the mistake of embarking on a journey to procure multiple technology across several years and having to delay the entire project because of unforeseen issues.
Vendor management includes the day-to-day work of communicating with vendors on top of the security business responding to important alerts that can come at any time (hackers aren’t taking weekends off, after all). With a full suite of vendors, you’ll be responsible for managing multiple license renewals, upgrades, and additional licensing which will require involvement across various departments and stakeholders.
These conversations will likely involve pricing negotiations which can become difficult to parse given that your organization is likely growing quickly, with more employees, devices, and an expanding network, potentially changing the cost of a vendor’s service.
As you add vendors and other technology partners, you’re further adding complexity to your existing environment that requires you to maintain full visibility in order to stay secure. All this can be incredibly taxing to an already strapped IT department, and you may find yourself needing to increase your headcount just to cope with the additional work. So, you’re back to needing to justify more budget and with the burgeoning cybersecurity talent shortage, you may not even be in a position to hire.
As your technology stack continues to grow, so does the level of complexity. Many larger enterprises have dedicated vendor management teams and it’s easy to see why.
Large, well-funded cybersecurity departments can handle vendor management given their breadth of resources. SMEs, however, struggle with vendor complexity and the departmental burden of vendor management. These challenges can impact your overall cybersecurity posture.
You may find yourself struggling to maintain full visibility of your environment, leading to blind spots. This may include missed alerts or crucial communications about an attack or compromise, further impeding response and recovery efforts. However, vendor complexity doesn’t have to be a necessary evil in order to have strong cybersecurity.
An MSSP is often a better alternative for SMEs as it outsources the vendor procurement, selection, and ongoing management in a much more streamlined and cost-effective manner. The right MSSP should offer a curated stack of industry leading technologies, saving you the time and effort of selecting the right vendors and providing you with 24/7 support.
SMEs no longer need to feel overwhelmed by the complexity of vendor management; and should consider the benefits that outsourcing this time consuming and ongoing process can bring. Learn more about how an MSSP like SolCyber can serve your organization better.