Considerations for Choosing Security Service Providers When Budgets Get Tight
Carlos Morales, SVP of Solutions
The survey conducted in December by the Neustar International Security Council (NISC) revealed some concerning statistics around how cybersecurity budgets are evolving in 2023. The worldwide economy continues to slide towards recession, and most organizations are taking a hard look at how they are spending their money. Across the board budget cuts have become a normal state of affairs as nobody is sure when the economy will rebound. The NISC survey, which focused on how this climate is affecting cybersecurity budgets, found that 51% of the companies responding did not have sufficient funds in their budget to cover their complete cybersecurity needs and 11% only had enough budget to cover their most critical assets. This is troubling because attackers have not seemed to suffer at all from the flagging economy and attacks continue to provide an ever-present threat to companies.
To maximize the funds available to them, many companies have turned to service providers that offer cloud-based security services that include a combination of technology, cloud deployment, operations, software lifecycle management, security, and support. Security services are attractive because they remove many of the responsibilities of maintaining technology and expertise from the business while offering a flexible OpEx model that will help the company control their expenses better. When operating with a limited budget, it’s important to choose the best combination of providers to suit your needs and your price point. There are many providers out there to choose from, so selecting the right ones can be a daunting challenge. Many claim to solve for a variety of the issues you may be interested in, but do they really?
Thankfully, there is a proven way of choosing wisely. Aside from function and cost, there are best practice considerations that businesses can use to assess potential provider partners. Companies that take a holistic view of their service providers will generally be successful in reducing their risk while staying in budget. With this in mind, the following points should be scrutinized carefully for each security provider that you are considering:
Deployment Architecture and Global Footprint
Your employees and your customers depend on the reliability and performance of your internet-facing applications and services. There are several factors that would influence these areas. First, the locations where service is delivered, especially in-line security services, should be as close as possible to where your applications and services operate. If you have multiple, geographically diverse locations, your providers should have similar network reach to ensure a low-latency experience for customers. Second, the provider should have a redundant network architecture to make sure that the service is always available, and back this up with uptime SLAs. Third, the provider should have the network capacity necessary to handle all customers on the service and be able to withstand volumetric DDoS attacks that would threaten the availability of the service. Many services will claim to include DDoS protection but do not have the bandwidth necessary to withstand a large attack.
From budgetary, vendor management, and integrated operations points of view, it can be quite advantageous if the security provider could provide multiple services bundled together. This can often lead to significant cost savings and reduce the overall number of vendors that you have to manage. Many vendors are making it easy by offering “platforms” that bundle together services for one contractual price. The downside is that not all vendors have the capabilities to deliver quality services across all parts of their platforms. Oftentimes, the platform is built on one or two products that are strong but then additional services are cobbled together to round out the offering. These services may not be as effective, scalable, or usable as what you would need. As you look at multi-service providers, ask whether they directly own and operate each of the services they offer, how long those services have been available, and how integrated they are into the other components of the platform.
Have you had a call with a support “specialist” in the past where it quickly became clear that you knew more about the subject than the specialist did? Worse than this, have you found yourself speaking to a recording and had a difficult time reaching an actual person? As a consumer, this happens all too often when dealing with utilities, phone services, and the like. As an enterprise customer paying thousands of dollars for a security service and facing a critical issue, it’s completely unacceptable. Service providers must offer 24 x 7 access to security personnel with experience and knowledge in the area that they are supporting. Pedigree in this case is very important. Ask your provider how many support personnel they have, what their areas of expertise are, and how much experience they have with the services they are supporting. Providers need dozens of specialized people per service area to effectively support a scalable 24 x 7 service.
All service providers have a limit in the resources that they can bring to bear to continue evolving a service. Providers that deliver a wider range of services are sometimes forced to focus investment on the newer products and services at the expense of legacy services. Vendors will always say that they are focused on all areas of their solution so the best way of ascertaining where their true focus lies is to look at what they are talking about as a company. Look at the latest press releases that have been issued and the latest blogs and whitepapers that are published. This should give you a good idea of where their focus really is.
Security and Privacy
Suppliers and partners represent a huge security and privacy risk if they are not vetted appropriately. Businesses must be able to trust that what their partners provide will not only operate to specifications but will also not create new vulnerabilities in their environment. Several of the more recent high-profile data breaches have been introduced through the supply chain. Businesses need to increase the rigor of vetting processes for potential new partners, and especially security partners, with measures that range from requiring a more thorough understanding of their reputation in the market to auditing the security and privacy processes they follow. It is valid to ask about what security controls are in place, delineation of responsibilities for security controls, and audit rights over the provider’s practices.
Neustar Security Service is in the business of protecting our customers’ internet presence and brand. The Ultra brand has been synonymous with quality since it was first introduced to the market 20+ years ago. Our primary focus continues to be on delivering services that assure availability and protection for all internet-facing assets that our customers have regardless of where they are deployed: authoritative DNS, DDoS Mitigation, and Application Security protections. UltraDNS is one of the founding fathers of managed authoritative DNS services and today remains the leader in technology, footprint, and scale. The UltraDDoS Protect network was built from the ground up to provide the ideal footprint combining global reach, high-bandwidth capacity, and cutting-edge DDoS protection technology to handle every type of DDoS attack. It has handled hundreds of attacks each week for more than 10 years. UltraWAF brings application-specific inspection to protect the integrity of your web-based applications while also including application layer DDoS protection and bot management capabilities to complement UltraDDoS. I’m pleased to say that we will soon be offering DNS, DDoS Protection and Application Security protection in one UltraPlatform offering. More to come on this shortly…