September 25, 2009, 9:15 AM — by Brent Huston - With so many security vendors available, how do you know you're choosing the right one? Keep these tips in mind so you can avoid major issues down the road.
Evaluate how the vendor may be able to assist you. Look for items like awareness, document and policy creation and other resource intensive tasks that you may need.
Beware of claims that vendors or products will "make you secure." Security is a journey, not a destination. Deep defenses that are complex and focused on your assets are the best solutions.
Be very careful about a potential conflict of interest. The same company that monitors your network and/or systems should not also be the company that audits how secure you are. Companies that act as auditors should not be retained to perform IT consulting and such. These are disparate functions and they require independence from each other.
Beware of hype. The information security field is full of overblown technologies, overly touted certifications and grandiose claims. This is where your criteria and looking for items like experience and trust come into play again. The antidote to hype is trust.
Make sure that you review details like sample reports, sample contracts and resumes of the individuals performing the work. Make sure you understand who will be doing the work, what the timelines for completion will be, how travel costs will be handled and what steps the vendor is taking to ensure that both your services and their organization comply with NCUA Section 748 guidance.
Lastly, be very careful about potential vendor's company ethics. The NCUA and the public are paying close attention to IT and management ethics these days and you should, too. Ask the company about their policies pertaining to hiring "hackers". Ask them about their firm's security research teams, and how they may handle new vulnerabilities. Do they report them to the vendor? Do they announce them to the public? You will find that some vendors not only identify new vulnerabilities, but actually help attackers by releasing "exploits" and other tools that attackers use to break into systems. Pay careful attention to the answers to these questions. Don’t be afraid to ask what, if anything, the vendor is doing to help prevent future attacks, or to "give back" to their customers and others.
-- Brent Huston is CEO and Security Evangelist for Microsolved, Inc.