By: Swathi West and Vince Maduri
Partnerships are an important part of any cybersecurity strategy. A cybersecurity partner will look out for your best interests and help fit your organization into the cybersecurity narrative.
What makes a good cybersecurity partner?
Not all risk is created equal, and each organization faces unique security risks. A good cybersecurity partner understands the unique risks posed to each individual organization based on their industry, and can tailor their services to the specific needs of each client. A good cybersecurity partner isn’t just providing a templated list of controls—they customize your cybersecurity program to fit your unique business needs.
Extensive knowledge and expertise should be top of mind when selecting the right partner for your organization. Cybersecurity partners provide the external perspective and guidance to ensure you are navigating the waters in a reasonable manner. When you meet with a potential partner, discussing their experience with similar organizations, tool stack, employee certifications, and their understanding of recent cybersecurity trends is a good way to gauge their experience and expertise.
Lastly, organizations should look for a cybersecurity partner with clearly defined values and commitment to ethical business practices. When it comes to cybersecurity, you’re essentially buying and selling trust. You’re trying to show your clients and stakeholders that you are trustworthy and you value their data. Similarly, your partner needs to show you the same.
Internal Efforts x External Experts = Highest Impact
Security can’t be done entirely in-house, but it can’t be entirely outsourced, either. Using both internal and external cybersecurity resources effectively together can multiply the overall impact. Internally, the people working with their organization’s product or software every day will know the ins and outs of the organization better than a partner. The organization’s employees are the internal experts that can understand and explain the scope and alignment of the organization to the partner.
External resources (cybersecurity partners) can provide an altogether different perspective on the business, and can use their expertise to determine the most important areas to prioritize. They know how to ask the right questions and frame the context of the organization within a bigger picture—providing the 30,000 foot view, so to speak. When you combine both internal and external resources, you have the best chance for success.
Take secure coding, for example. If an organization is following OWASP and ensuring they’re following all the steps to secure coding, having a security consulting firm can help look at your change management process and provide guidance on what’s really required for the organization. That way, the organization can save time and effort knowing that they’re not wasting resources on anything not required or important for their specific risks.
So, how do you figure out which security processes should be delegated to a partner and which should be done in-house? This is where a risk assessment comes in handy. When you know what valuable data you have and where your risks are, you can prioritize security. Security does not equal compliance; luckily, a lot of compliance processes can be automated so that an organization’s primary focus can be on security.
There are many different types of cybersecurity partnerships, from penetration testers, vulnerability management organizations, and security consultants. When looking for a cybersecurity partner, ask yourself: where are our internal gaps of knowledge? If your organization has a gap of knowledge in a specific area, find a partner in that area that can help you accomplish that need.
Defining the Partnership
Determining what type of partnership works best for your organization is an important step. This is where a security roadmap comes in handy—when you know what your priorities are in both the short and long term, it’s easier to find and build the right cybersecurity partnership.
The structure of cybersecurity partnerships can vary widely. A good partner will find a structure for an agreement that works for their client. Having a partner that is flexible and can work under various types of arrangements, whether it’s through a contract or fixed fee agreement, is highly beneficial. The right partner will work within the parameters of your individual business.
Measure the Effectiveness of Cybersecurity Partnerships
Most organizations want to know the return on investment they’ll see after working with a cybersecurity partner. There are a few ways to measure the effectiveness of your partnerships depending on the services your partner provides. If there are specific cybersecurity processes that your partner has helped with, defining your key performance indicators and keeping track of the progress with a cybersecurity scorecard can be helpful.
There’s also the deliverable side—maybe you get a monthly report, or your clients get a report that shows them the efforts you’ve put into your organization’s security. While deliverables are important, measuring the effectiveness of your cybersecurity partnerships come with a few intangibles, too—namely, the trust of your stakeholders and clients. When you know that your most important stakeholders trust you, you’ve been able to build a successful cybersecurity program with the help of your partners.
Interested in learning more about getting the most out of your cybersecurity partnerships? Contact us today.
About the Authors
Swathi West, healthcare and privacy manager
As healthcare and privacy manager, Swathi leads BARR’s HITRUST practice by strengthening client relationships and developing new business opportunities. She will also be charged with planning and executing information technology audits, client risk assessments, and GRC Advisory engagements for our rapidly expanding client portfolio.
Swathi is originally from South India, and came to the U.S. to pursue her Master in Space Studies degree at the University of North Dakota. From there, she went on to work for UnitedHealth Group’s information security team where she fell in love with the cybersecurity industry, auditing several healthcare clients against the HITRUST framework. She then moved over to the client side, working for Cardinal Health where she gained experience selecting security tools, planning security testing, and the overall auditing process. Swathi then went on to Schellman and Company, working on several HITRUST, SOC, and HIPAA certification projects, before joining the BARR team.
Vince Maduri, head of Business Development
As head of Business Development, Vince forecasts client needs based on industry trends to generate new business opportunities. Vince is known for his diligence, professionalism, and commitment to supporting the needs of BARR clients and future clients.
Prior to joining BARR, Vince ran his own communications company alongside his father and siblings. There, he developed a new digital media product and ran day-to-day operations. He also worked for Wells Fargo in positions of increasing responsibility until joining the BARR team. Vince graduated Summa Cum Laude from Arizona State University with a Bachelor of Arts degree, then went on to earn a Global MBA from the Thunderbird School of Global Management.