St. Louis Business Journal Ask the Expert Column – September 2019

Our cyber security “partner” recently contacted us to say they had “discovered unusual activity in our network that might indicate a breach” and that we “should investigate and remediate the activity further.” We were led to believe our partner could mitigate, not just monitor. The next day, we discovered our entire environment was encrypted with ransomware. We had indeed been breached – and, in my opinion, the money we spent on “security” had been wasted. What do we do now? 

The first thing you should do is fire your cyber security partner. Then, find a provider who will monitor, mitigate, provide detailed forensic evidence, and deliver expert witness testimony to help keep you out of trouble, and help minimize losses.

I’m hearing more horror stories like the one in today’s question every day. Unfortunately, I’m also reading sales language from cybersecurity providers that I feel is misleading, because false claims are being made. That’s why I thought it best to provide you with a checklist to use when hiring a cybersecurity partner, so you can rely on having protection 24/7/365.

Make sure your provider has a physical, on-site Security Operations Center (SOC). A physical Security Operations Center (SOC) is the critical hub for any true cybersecurity operation. It’s our industry’s version of a war room. The SOC is where hardware, software, brainpower and bodies all come together. It’s where breaches are identified, problems are solved, incidents are mitigated, and order restored where chaos once existed. Virtual SOCs cannot replace the collaborative environment and force multiplier that a physical Security Operations Center provides. You need people in one space, working together, sharing energy and technology to get the best results possible.

What’s troubling is that many large cybersecurity providers are touting the advantages of a SOC, but they don’t actually have a physical facility. Bottom line, if your provider doesn’t have an actual SOC on-site, they’re really not a full-service provider. They’re a monitoring service, like the security guard in a recent commercial, who only notifies that a bank robbery is taking place, rather than trying to stop it. Many cybersecurity providers merely identify an incident if there appears to be an intruder present – then, they continuously SPAM your email server with unactionable information.

Insist that your provider uses only full-time, on-site employees, not online contract workers or freelancers. If your cybersecurity provider is using contract workers or freelancers, you’re at risk. You need a dedicated team, with senior leadership, working shoulder-to-shoulder every day to ensure maximum protection. Non-employee workers are greater risks, because they have access to your systems and networks without the full accountability and security clearances of true employees. Don’t put your organization at risk for the sake of improving your provider’s bottom line.

Get written guarantees that the security team you meet on Day One is the team that will stay with your account. Cybersecurity is becoming the land of “bait and switch.” Providers will bring in the heavy hitters during the sales pitch . . .  but once you’re under contract, if you’re not one of the biggest clients in-house, you’ll get sluffed off to the B-Team or the new hires. These second-tier employees are probably talented, but, in all likelihood, nothing close to the seasoned pros you met before you signed on the dotted line. Make sure you control who works on your business, otherwise you’ll end up paying senior level rates for junior level talent.

Demand that your provider speak to you in simple-to-understand language, not jargon-laden geek speak. When it comes to cybersecurity, we’re all computer guys — and we all speak geek. It’s how we communicate on the job. But if your cybersecurity partner only uses terms you can’t understand, chances are they’re hiding behind layers of smoke and mirrors. They’re banking on the fact you won’t want to appear uninformed, so you won’t question their language. Question everything that’s not crystal clear! If a provider can’t explain exactly what they do in language that a 4th grader can understand, then show them the door.

Establish from the beginning that you won’t tolerate “data dumping.”  Beware of cybersecurity providers who compile data, tell you there are issues, then dump their findings in your lap for you to investigate. That’s not how the system should work. Your provider should discover problems, report and explain them to you, mitigate the breach (with your permission), determine how the breach happened, and fix the weakness so the same breach won’t happen again. To understand your provider’s processes, and how they work, ask them to perform a mock-breach exercise, complete with reports, where you are walked through a controlled breach and mitigation, so you can see, first-hand exactly how they work and if their style is right for you.