In information security, a decision has to be made about how important confidentiality, integrity, and availability are. In most cases, the company will make these decisions depending on their industry or compliance requirements.
Most companies that hire IT security providers have a particular focus for them. One of them is usually breached prevention, while the other is incident response. When hiring an IT security provider, there are a few questions you should ask:
- What is your process when it comes to penetration testing? Who does it? How often do they do it? Is all software tested or just some types of applications? What results do you get when you run credentials through common password lists? How much time is spent on remediation if vulnerabilities are found in production?
- Are you familiar with the compliance requirements for our industry? Do you have experience conducting assessments against these regulations?
- What is your approach to vulnerability management? How do you prioritize vulnerabilities? Do you use a threat model to help make decisions about what is important and what is not?
- How do you handle phishing attacks when they occur? What is your process for incident response? Are there certain steps that need to be followed in order for us to be compliant with any applicable regulations?
- Can you provide us with case studies or examples of how you have helped other companies improve their security posture? We would like to see examples of specific threats that were mitigated and how your team responded.
- What is your experience with cloud security? Do you have any recommendations for us when it comes to securing our data in the cloud?
- What is your experience with the incident response? Are there particular types of incidents that you are more prepared to deal with than others? Do you have a plan for how we should handle an incident if it occurs?
- How do you manage third-party risk? Do you have a process for assessing the security posture of our vendors? Have you ever had to help companies recover from a breach that originated from a vendor relationship?
- Are you familiar with our environment and our specific needs? Do you think there are any other areas of security that we should be focusing on? Are our expectations of you realistic, or do they need to be adjusted?
- What are the reporting requirements for security assessments and audits? Do we have any reporting requirements as part of a regulatory requirement or from an insurance provider? Can I log into your system and see the results from each assessment as it is being done so that I know what is going on?
If you are willing to expose yourself to the risks associated with doing business in today’s world, then you had better be comfortable with understanding your security posture and ensuring that it is as strong as possible. Questions like these should help point out any areas of concern within an organization. It also highlights the real need for more cyber-security professionals to enter the workforce since they are sorely needed at this time. Good luck!