The significant amount of money that Organizations spend on Security Vendors, Services, and Tools to enhance their security programs is based on the premise that they have an organization to assist in enhancing their security from exposure to risk through the use of vendor(s). Just because an organization has a vendor does not mean that the vendor is providing meaningful value/lower exposure. Rather, it is more important to analyze whether the vendor(s) provide measurable/business value to the organization and deliver a strong Security ROI over time.
Organizations receive benefit from Security Vendors who provide technical reports/alerts but do not just hand out technical reports and then divert their attention to providing technical issues. When an organization uses a Security Vendor, it receives measurable/business benefit from the Security Vendor providing insight into the organization's risk, assisting the organization in understanding its business risk and assisting in decision making to mitigate that risk. When a vendor's output is mainly technical data with no business context, the organization cannot act on the information provided to its leadership. Therefore, the Vendor / Organization combination that is of most value is one that relates Vulnerability/Threat/Incident to Operational Impact/Reputation/Compliance/Business Continuity and demonstrates clear Security ROI.
A good security provider should be able to demonstrate an increase in the maturity of your organization's overall security posture over time. The relationship/risk associated with the provision of security services should become much more defined with time. Your security posture should improve overall in terms of clarity and performance as your partnership continues to grow and adapt to meet the evolving needs of your organization, ultimately improving your measurable Security ROI.
If you have not experienced any noticeable improvements in your organization's overall security posture throughout the previous year, despite having spent considerable resources on improving the security (e.g., continuing to purchase new products), your security provider is most likely NO longer maintaining its resilience from the previous year. In such cases, organizations should question whether their investments are generating any real Security ROI at all.
In addition to being able to demonstrate increased maturity in your overall security posture over a period, your security providers should also provide evidence of their performance beyond just providing "activity-based" reports. Examples of these types of reports would include dashboards created on a weekly basis, running periodic vulnerability scans, or maintaining a Security Information and Event Management (SIEM) system. The critical area of focus is whether the activities performed by your security providers have allowed for the earlier detection of incidents, the reduction of attack vectors, and provided visibility to senior management regarding security risks. When your security providers produce the outcomes that they expected, it allows your organization to change from being a reactive responder to being proactive in its overall risk management program.
One of the most important components to a successful security provider is communication. A reputable vendor values its relationship with you and views themselves as working alongside your team rather than just providing services. A reputable security provider should provide complete and clear explanations of your organization's security risks as well as assist you in determining where you should focus on remediating them and assist with making decisions in an incident situation.
If the only type of communication from your security provider is ticket closures and automated reports, your relationship with them is strictly transactional; there is no strategy to your actions.
Additionally, a security provider that provides value to their customers by assisting with future planning for your organization versus providing assistance after the fact (in response to significant security events) can help you develop your organization's security roadmap; align your security controls and capabilities with the growth of the business; and ensure that the purchase of the security hardware, software, and services will help to achieve an organization's long-term strategic objectives, such as digital transformation, regulatory compliance, and customer trust. By helping your organization to reach important long-term goals, a security provider will change from being a cost center to being a valuable partner.
Ultimately, the true value of a security provider occurs through their assistance in helping to build your organisation’s confidence, preparedness, and resilience over time. The key is not to simply transfer security processes to your security provider, but also to provide you with a defined and measurable ability to prevent, detect, and respond to threats.
One way to see improvements in your overall security posture is through a relationship with a partner such as Ancrew Global. By focusing their attention on risk-driven strategies, integrated services, and measurable outcomes, Ancrew assists organisations in moving from solely providing the basic security service of monitoring to providing meaningful strategies to improve your total security posture going forward while maximizing long-term Security ROI.