Information Technology (IT) Security is BIG business. In fact, a source from Precedence Research says, “the global security market size was estimated at USD 143.07 billion in 2022 and it is projected to reach around USD 317.57 billion by 2032, poised to grow at a CAGR of 8.3% during the forecast period from 2023 to 2032.” That’s a staggering amount.
That number represents a mix of system integration and consulting, risk assessment and analysis, managed security services, and maintenance and support. With so many companies bidding for your business, and so many options that can be confusing, how do you choose the right company?
How to choose…
It largely depends on the problem you wish to solve. As mentioned, the IT Security market has many different segments that serve different areas. Apart from consulting, most are backed or developed by manufacturers that produce a product serving a specific need. These are not limited to security hardware or software, IDS, IPS, EDR, XDR, MDR, monitoring software, firewalls etc.
Great products but…
There are some great products available from these manufacturers, usually made available through IT consulting companies, MSP’s and large distributors. If you know what you are looking for, purchasing them is not a challenge. All you need to do is Google it and you’re bound to get a plethora of options that are brought to you by IT consulting companies, or MSP’s in your area. Seems harmless enough… but what if you need some real security advice? Should you trust the same company that sold you the security product with your security consultation?
That depends…
In the IT consulting and MSP space, competition in fierce and it is getting harder for these companies to carve out market share. Most of these companies sell the same security hardware or software products as their competition, making it difficult to differentiate themselves. As a result, many of these IT companies are positioning themselves as security consulting companies to keep their customers captive, and it’s working.
As security is a confusing and complex topic, many consumers are unable to discern if a company is “qualified” to provide security advice. They believe that because the company was able to provide them with a security “product” that they are also able to provide them with sound security advice. This is not always the case.
Why do I say this?
Over the course of over two decades of providing security consulting to our customers we’ve learned that many vendors have not provided critically important or accurate security advice, leading to a security incident. The security product vendor pushed for the purchase of a security product that was not the right fit or insisted that the product would provide all the security they would need to be protected. How do you know that the company you are purchasing from is qualified to provide you with security advice?
Here are a few items to consider
How long has the company been providing security products and services?
Companies that have a short history in providing both should not be shortlisted. Any company can post the word IT security services on their website. It doesn’t make them a security consulting company. Look closely for other evidence that you can trust them with your security.
Does the company have and staff that have any security certifications?
A security certification that is well known and respected takes a significant amount of effort to achieve. It is a sign that whoever is behind the advice has some qualification to speak on the matter. This does NOT include a certification that is provided by the security hardware or software vendor. Look for certifications such as OSCP, CISSP, CISA, CDPSE, eCPPTv2, and more.
What kind of security consulting services do they offer?
Consider audits like penetration testing, do they offer all forms of it? Do they offer audits such as NIST, ISO, SOC? Do they offer disaster recovery planning, incident response or other security advice?
Does the company have any references or testimonials?
Not all companies are willing to provide testimonials however the company that your about to hand over your security to should have a few that can be referenced. Find out what security consulting services were provided, what was the feedback? Was there anything that stuck out?
Choose the right person or company
To us, choosing the right security consulting company is as important as choosing the right surgeon to perform an operation. You would likely not choose a doctor that has just graduated med school unless he or she was surrounded by other experienced surgeons. You would likely look for certifications, or seek a referral, or even a second opinion in some cases. The same goes for your organization’s security!
Don’t be fooled.
Don’t be fooled by a fancy website or advertisement. Dig deeper and ask the questions or conduct an interview. Get to know the security company and make sure that they can not only sell you a security product, but that they can provide sound unbiased advice that addresses all the other areas of security their product cannot protect, because there are lots.
Brand agnostic and proud of it.
We have remained proudly brand agnostic for 24 years. We have no motivations or incentive to sell you any particular security product. Our job is to provide you with sound information that includes all aspects of security. We are certified, experienced, and dedicated to our craft. We’ve helped companies across the globe avoid costly mistakes by helping them understand that technology is only one aspect of security, people and process are the others that many product vendors overlook. Let us know if you would like to discuss your initiatives in security and we will give you our unbiased opinion.