Cybersecurity Vendor Risk Management Checklist

Cybersecurity is a complex and fast-evolving discipline. It’s more challenging now than ever for MSPs and MSSPs to have all the technologies, experiences, and skill sets in-house. Not only is it cost-prohibitive to purchase numerous tools, but the tight labor market also makes hiring and retaining the right talents is an uphill battle.

Working with top cybersecurity vendors is a proven  MSP and MSSP pathway to success. SOC-as-a-service can help you shorten time to revenue while lowering the initial investment significantly because you don’t have to purchase hardware and software, hire a SOC team, or set up complex processes.

However, with so many cybersecurity vendors on the market and your reputation on the line, how can you make sure you’re partnering with a provider that can help you keep your clients safe and grow your cybersecurity practice?

Cybersecurity Vendor Risk Management: An 11-Point Checklist

This vendor cybersecurity checklist can help you conduct effective cybersecurity vendor risk management:

1. Cybersecurity Posture

Any cybersecurity vendor can send you a shiny proposal, but is it walking its talk? Supply chain attacks are rampant — a vendor with poor security protocols could become a low-hanging fruit for hackers, endangering your systems and clients’ networks.

Conduct a vendor cybersecurity assessment to ensure the provider uses trusted tools and has implemented the appropriate processes to keep your infrastructure safe. Additionally, its security posture and philosophy should align with yours so its services can effectively augment your offerings.

2. Cloud Configurations  

IBM found that 45% of data breaches occurred in the cloud. Before you engage with a vendor’s services, ensure it has a process to have all the cloud assets connected to your networks (e.g. serverless functions and databases) appropriately configured. Also, the vendor shouldn’t store non-public information in plain text files (i.e. unencrypted).

3. Web Application Security

Your team will likely interact with the vendor via the cloud using various web applications. It should provide a secure method to facilitate effective communication and share information. Also, it should have measures in place to protect against cross-site scripting (XSS) and SQL injection attacks.

4. Incident Response

Security information and event management (SIEM) and incident response services are table stakes for cybersecurity vendors. However, is your provider leaving its own environments vulnerable to attacks while it’s busy monitoring its clients’ networks?

Besides how a vendor responds to incidents in your systems and your clients’ networks, ask how it monitors its own infrastructure. What tools and processes does it use to identify and respond to incidents to avoid becoming the source of a supply chain attack?

5. Connection to your Infrastructure

Remote access to your company’s network, apps, and servers can be another weak link. Besides using IPsec VPNs, your vendor should constantly monitor the status of these connections to ensure that changes made to the infrastructure on either end don’t compromise the systems’ security.

6. Compliance Standards

Find out which security frameworks and standards (e.g. NIST-800, SOC 2, etc) your vendor follows. If your clients are in highly regulated industries with specific regulations (e.g. HIPAA, DFARS), you should select a cybersecurity vendor that can help you and your clients stay compliant.

7. Access Management

A cybersecurity vendor potentially has access to your systems and clients’ networks. To minimize exposure, it should implement strict access management and a zero-trust architecture so employees can access only the information they need to do their job.

For example, it should have a comprehensive offboarding process to revoke all access privileges when an employee leaves the company. It should also have policies and procedures to ensure managers review access privileges frequently.

8. Log Monitoring

Security data logging is a standard SIEM activity that most cybersecurity vendors offer. However, is your vendor keeping its eye on its own log and ensuring that it doesn’t become the weak link in your supply chain? Choose a provider that walks its talk and invests in advanced analytics to monitor its logs and network traffic.

9. Employee Training

While the professionals monitoring your systems are data security experts, they aren’t the only ones with access to the vendor’s infrastructure. For example, hackers can target administrative employees to infiltrate a provider’s systems and access its customers’ network.

Ensure your cybersecurity vendor offers comprehensive security training to all employees including contractors and follows cybersecurity best practices, such as enforcing a password policy and using multi-factor authentication (MFA) to protect their systems.

10. Decommissioning Services

One advantage of using a cybersecurity vendor is that it provides all the hardware, so you don’t have to worry about the upfront capital investment. But your provider still needs to use equipment to deliver the services — the servers and devices can become a security liability if the vendor doesn’t decommission them properly before disposal.

11. Client Communications

Transparency and collaboration are critical to a successful vendor relationship. For instance, your provider should have a procedure to notify your team as soon as it detects unusual activities so you can take the necessary measures to protect your assets. Where using cybersecurity tools such as SIEM and vulnerability management, the vendor should provide ongoing threat assessment and reporting to keep you in the loop.

Choosing the best Cybersecurity Vendor for your MSP

Risk management is a key component when you partner with a cybersecurity vendor. Create a vendor cybersecurity questionnaire using the checklist above to help cover all your bases when evaluating candidates.

Also, prioritize cybersecurity vendors that can provide all essential services under one roof to minimize the number of connections to your systems and streamline collaboration processes to ensure nothing falls through the cracks.

With our comprehensive SOC-as-a-Service for MSPs and MSSPs, you can access the latest cybersecurity tools and best practices for one affordable monthly fee. Our packages include everything from SIEM and vulnerability management to monthly assessment and reporting.

Learn more about our SOC-as-a-Service solutions and get in touch to see how we can help you augment your cybersecurity offerings.

You may also be interested in…