How to find the perfect security partner for your company
An external security partner provides a valuable service: security testing, paired with objective advice on how to keep your applications secure. They often make the difference between protecting your data and suffering a breach, and that means you don’t want to hire just anybody — you want to hire the right security partner for your company’s needs.
Not all advisors are created equal, so you’ll want to choose carefully and consider a variety of factors: Do you need a product or a service? A tool-centric or human-centric partner? What specialization does your company need?
Download Ted's free ebook, "How to secure your software faster and better."
Different companies have different security needs, and by gaining an understanding of the main differences between security providers, you can select the right partner to protect your assets.
Products vs. services
First, you’ll want to decide what form your security solution should take. There are three types of security companies: companies that sell only products, companies that sell only services and companies that sell both.
Assuming your goal is to find and eradicate security vulnerabilities so you can build secure software systems, that goal requires an advisor. By definition, that’s a service, so you can rule out product-only companies (note: you will need products too for aspects of your security program; but for the sake of this article, we’re just talking about the testing and advisory aspects). Furthermore, be leery of companies that sell both services and products if those services result in buying their product. For example, their consulting might inform you of a security issue that just so happens to be solved by a product they sell. That brings into question the integrity of the recommendation in the first place.
For these reasons, I’d recommend you look for a company that only sells services (or sells services and products as long as the products are not the solution to the problems the service will discover). This way, you can trust that the advice they give you solves your problems, and isn’t distorted by a motivation to sell a product.
Tool-centric vs. human-centric
Second, once you’ve identified a few security-partner candidates, figure out whether they offer a tool-centric or human-centric service. Many “service” companies are just running an automated tool and presenting it as a service. You can’t scan your way to security excellence.
Instead, you want to find an advisor who has smart, experienced experts who can help you solve your problems with the creativity that comes with being a human. The work needs to be manual.
To find the truth about a company’s service, ask questions: Is their advice personalized? Who does the work? What are their qualifications? How much is automated? What data and reports will you receive? Dig until you understand exactly what you’re paying for.
What is their specialty?
Lastly, after you’ve narrowed down your candidates to just a few options, you’ll want to focus on their specialties. Make sure their area of expertise aligns with your business’s needs.
Some companies will present themselves as experts in everything. Be wary of that; no one is the expert in everything. Most companies, however, do have a specialization, even if they have a wide range of capabilities. Ask what their single strongest area is, and that should help guide you.
Vet the companies’ qualifications to ensure that they’re as good as they claim to be. Look for research they’ve published, talks they’ve given at industry conferences, documentation on their methodology, and the deliverables they give to clients. If any of these are lacking or missing altogether for a given security company, consider ruling them out.
Find the right security match for your company
A security company might be incredibly skilled at what they do, but if they aren’t a great match for your company’s needs, they won’t be your best choice.
Remember, as an external partner, it’s not just about security testing: this company will also serve an advisory role in guiding your company’s security practices. Like a personal trainer, they apply years of experience. They point out where your form is bad and help you fix it. They hold you accountable. They make you better.
For the best results, choose a service-based, human-centric company that specializes in the area you need most. Look for these traits, and you’ll find a partner who can help you achieve security excellence.