Outsourcing Cyber Security


One hour wasn’t enough. This is a must watch webinar, we had an honest conversation about outsourcing security, who is it for, and what to expect. 

We spoke about the difference between supporting a small organization (less than 100 employees) and a large enterprise. However many things are similar. I won’t be able to cover everything in the blog post, but if you have one hour to spare, then this recorded webinar is definitely worth watching.
It’s all mumbo jumbo to me.

It’s all mumbo jumbo to me
So where do we start? MSP, MSSP, MDR, VCISO…. All these acronyms are just adding to the confusion. The answer is - find a person that will be your advocate. Some refer to this person as a virtual CISO, but the title doesn’t matter - it’s someone who can help you translate all the mumbo jumbo into English and help you understand risk. You can either hire this person for three months to help you find the best service providers and to develop your roadmap, or part time as a neutral advisor. And treat this person like you are hiring a person. 

I don’t have an appetite for risk
Now before anything, you must understand what is your risk appetite and what is it that you are protecting. You probably can’t do this by yourself, so finding that trusted advisor is key. Only after you understand your risk appetite you can then quantify it and understand how much money you need to mitigate it. 

How much does it cost to solve risk?
The $$$ amount you invest is not a guarantee that nothing bad will happen. It is unrealistic to expect to eliminate risk, instead think about risk as a point on a sliding scale based on your risk appetite.  You should first have an honest conversation about risk, and then about the amount of money to mitigate it. Don't expect to ask what you get for $10K, instead the conversation should be about risk tolerance and how much it costs to get there.  

Education, Education and Education, did we say Education?
Understanding risk is part of the education process… if your service provider is not educating you, then they are just selling and trying to slam a deal that is not going to help anybody. The service provider needs to find time to get with leadership and help them understand the risk of not taking action. Lastly, education is a two-way street, the service provider needs to understand what the organization does for a living and educate themselves in that business.

What happens if after everything I did we got breached?
The hard truth is that it’s not about "if", it’s about "when" you get breached. And the real question is, are you prepared when this happens. You want to make sure your service provider has a plan to recover fast and get your business back up.

How do I know they are doing a good job?
Your service provider may have started with performing a security audit which led to a service agreement, but then after they cannot be your auditor anymore. So, make sure you have a 3rd party coming in. And always ask tons of questions.

100% Privacy and Security at half price!
So you're shopping for a service provider and you saw on the internet all types of Ads that promise 100% privacy or security at a fraction of the cost of what you expected to pay, how come? Marketing teams often over promise. Anyone that is offering 100% security is misleading you! But it’s an opportunity to learn. Be a smart customer and challenge them. Critical thinking helps you learn. If someone is offering similar services or products, but is charging less than you expect, engage them and ask hard questions. What are they doing that their competitors aren't doing, and vice-versa? Take notes and ask the other competitors the same questions. 

Moderated by

  • Wizer’s hacker, Chris Roberts!