Over the past 10 years, we've seen a progressive commoditization of the IT industry.  Help desk services are now rolled into unlimited flat-rate agreements, hardware replacement is more streamlined, and automated management and monitoring tools have evolved to provide useful proactive remediation services.

The value MSP's (Managed Service Providers) have brought to the average business is undoubtedly beneficial. But at what cost? When considering value, you generally evaluate three critical metrics: cost, efficiency/time, and quality. I've often told customers that no matter the vendor, you only get two of the three. As a CEO or business owner, understanding what you're sacrificing is key to navigating your organization’s IT strategy.

When evaluating your organization’s cybersecurity posture, business owners must also evaluate the limitations of their Managed Services Provider. Generally speaking, MSPs are keen on cost and efficiency, but have generally sacrificed quality. This isn't to say they are not qualified in the services they offer, but rather, lack the required depth to navigate today's evolving cyber threats. Automated tools, anti-virus software, and fast help desk response is no longer enough. Effective cyber risk management begins with an experienced and qualified cybersecurity partner.

There are four key variables that must be considered when selecting a cybersecurity vendor. While not a definitive checklist, these areas represent critical components to a successful and strategic partnership.

First, regulatory compliance. Does your vendor have the experience and applicable certification(s), to navigate your regulatory requirements? If you're regulated by HIPAA, PCI, etc., then your cybersecurity posture has definitive measures that must be adhered to. Non-compliance not only increases risk of breach, but can lead to substantial penalties.

Second, understanding of regulatory standards. Successful security programs and defensible networks leverage adopted standards.  Resources available from ISO, NIST, CIS, etc., provide the framework to build, protect, and defend your network from cyber threats. Choosing a partner that not only utilizes these standards, but understands their implementation is critical.

Third, employee training. There is a legitimate argument to be made that this should be the number one priority when engaging a cyber security partner. Does the vendor have an established cyber awareness training program for your employees? Does the training meet regulatory requirements? How often is the training offered? When considering that nearly 70% of all corporate breaches begin with a compromised employee computer, training your staff is not only recommended, but is absolutely required.

Lastly, experience. I know this sounds obvious, but you would be surprised. Just because an IT company has years, or perhaps decades, of technical experience does not necessarily translate to cybersecurity expertise. The evolution of today's cyber threats has outpaced the generalist IT/MSP vendor. Much like medical care, a cybersecurity firm is your specialist, while your IT help desk / MSP is your primary care doctor.

If you're unsure your vendor meets these requirements, just ask. Your cybersecurity firm should be able to provide verifiable experience, references and relevant certifications within the industry. Considering the cyber exposure and risks businesses now face, IT companies have an obligation to be transparent with their limitations, and refer your organization to a cybersecurity specialist. In most cases, IT companies and MSPs welcome the support of a dedicated cyber security firm.


Breadcrumb is a cybersecurity and executive advisory firm. Located in Central California, we partner with organizations throughout the US, protecting their critical assets from cyber breach. Contact us today for a no-obligation consultation.

Author: Brian Horton, CEO, CISSP