How to choose the best cyber security vendor for your business

A digital shield logo on a screen, with code surrounding it to represent a cyber security vendor.
(Image credit: Getty Images)

Finding a cyber security vendor can be a challenge. There are multiple options available and it’s often difficult to plow through the marketing material to truly assess how they can meet your specific requirements. 

In an age of increasingly sophisticated AI threats and evolving ransomware groups, it can also be tough to work out what your needs are in the first place. There’s a big difference between the in-house security skills at a big enterprise compared to a smaller company and your requirements will reflect this. 

Finding the right vendor for your purposes might seem complex but with the correct approach, it can be done. Here’s everything you need to know.

What to look for in the best cyber security vendor

When choosing a vendor, you should be looking for a partnership, not just a license procurement, says Lewis Duke, threat intelligence lead at Trend Micro. “Ask about their strategy; does it align to yours? How communicative are they, and are they positioned to help solve your specific sector challenges?”

Businesses should make sure vendors have a proven track record and experience in cyber security, says Joshua Paulus, head of security and identity at Intelliworx. Meanwhile, firms operating in highly-regulated sectors such as healthcare and finance should ensure that the vendor has a thorough understanding of relevant industry regulations and compliance requirements.

Look for certifications including ISO 27001, SOC2 and others that may be relevant within your sector, says Duke. 

One of the most important services a cyber security vendor can offer is the monitoring of your business’ IT estate, says Lewis West, head of cyber security at recruitment firm Hamilton Barnes. 

How comprehensive this service will be depends on the vendor’s package and the price you are willing to pay. A standard offering typically includes the provision of protection and monitoring during usual business hours, he says. “But if you did require an additional level of service, there are on-call models available where support is provided when needed.”

A good cyber security vendor will take the time to get to know your challenges and business operations, says Paul McLatchie, security strategy consultant at Daisy. Be wary of vendors that immediately start pushing a solution before they have become familiar with the relevant moving parts within your business, he says.

Low-cost trials for cyber security vendors

Before committing to a vendor, validate if they have any options for a low or no-cost initial engagement, McLatchie advises. “Some provide introductory security evaluations free of charge, or at least, may be open to an initial no-commitment workshop session.”

You should also exercise caution engaging with vendors that provide an overly optimistic viewpoint that their products or services will solve all of your organization’s cyber security woes, says McLatchie. “Risk can never be completely eliminated, regardless of how fantastic the proposed solution is.”

Care less about the “whiz-bang AI and next-gen widget”, and focus on the core question: Will the solution truly protect my organization?, says David Corlette, vice president of product management, VIPRE Security Group. He also recommends leaders pay attention to independent testing agencies, such as AV Comparatives or Virus Bulletin, which have consistently documented test methodologies.

Vendors will often talk about the benefits of integrating their solutions. However such offers can be gimmicky and might not increase security, he says. 

Many vendors will be willing to tailor their services, says West. “It is always worth engaging in a conversation with them rather than assuming they will strictly adhere to the packages advertised.”

Which businesses need a cyber security vendor?

Of course, not all firms need a cyber security vendor. The key reason that businesses should consider using one is to gain a team of experts that can provide ongoing support, says West. 

If it’s still not clear, a good place to start is with a risk management strategy foryour existing security posture, says McLatchie. “What systems and services drive daily business operations? What would be the impact were they to fail? What are the most prominent cyber threats to the organization? These questions and more can at least start firms down the road towards a basic understanding of the maturity of their current security capabilities.”

The first step for a business is to audit its infrastructure, including its external network which is likely to be connected to third-party cloud services as well as its internal IT infrastructure, agrees Samir Desai, vice president, product management at GTT. “If potential risks and pain points are identified and cannot be handled internally, one option is to go with a managed security service provider (MSSP), who can pull in a wide range of cyber security solutions with expertise and tailor them to meet a businesses’ unique needs.”

Don’t believe everything you are told. No single vendor can provide everything that is needed, from firewalls and a secure operating system to endpoint protection and email security, says Corlette. “Enterprises should be wary of any vendor that claims to do everything well.”

Cyber security vendors for SMEs vs enterprises

Your needs will also depend on the size of your business. SMEs will likely benefit from MSSPs that offer bundled solutions and handle day-to-day tasks, says Duke. However, enterprises might opt for multiple specialized vendors depending on their security needs, he adds.

It’s also worth considering how many security providers you need, given your risk appetite, attack surface, and the sector in which you operate.

SMEs typically lack the dedicated IT staff or technical expertise available to bigger businesses, so it’s important they prioritize vendors that offer more user-friendly solutions, says Paulus. “These should offer simple deployment and management processes without the need for additional time and resources in getting cyber security systems up and running."

Internal security teams can pick up the slack. In general, businesses should have an internal security team alongside a cyber security vendor, due to their differing skill sets, says West. “Often where external vendors provide the most value is in monitoring networks and identifying issues and vulnerabilities, which can then be reported to the internal team who will resolve the issue.”

Having an internal security team can give businesses better visibility over operations than an external provider. After all, they have the best understanding of their organization’s IT environment, says Paulus. “But what they can’t do is address all security risks alone or guarantee 100% security against all cyber threats. Working with external vendors can help businesses improve their security posture and address challenges effectively."

Kate O'Flaherty

Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.