Bekker's Blog

Blog archive

4 Tricks MSPs Can Use to Check the Security of Their Vendors

When a managed service provider installs agents or sets up other tools at a customer site, the customer is trusting them at a deep -- let's call it what it is, an administrative -- level.

That makes it incumbent upon the MSP to ensure the vendor tools they're using are highly secure. How can an MSP, often challenged with a small staff and many other priorities, be confident that their much larger vendor partners are operating in a secure fashion?

During an Acronis virtual partner event Tuesday, Amy Luby, who leads community efforts for Acronis' channel, put that question to Bobby Kuzma, practice director of assessment and testing at the Herjavec Group, a Toronto-based MSP that specializes in security services and training.

Kuzma provided four shortcuts that MSPs can use to assess how serious their vendors are about security.

1. A Leader at the Company Whose Sole Job Is Security
"The CISO role has been around since the late '90s. And there are still organizations that don't believe that security is someone's job. If a vendor doesn't share that belief that that's a responsibility that's worthy of having a dedicated professional for," Kuzma says, it should be a red flag.

That person doesn't have to be listed on the Web site, or in the C-suite or even at the VP level, although any of those attributes would be a good indicator of seriousness. "If you don't see a CISO, ask," Kuzma says. "LinkedIn is your friend. Flat-out ask them, 'Who owns security in your org, and can I get an introduction?'"

2. A Clear Process for Reporting Bugs in Their Code
"If they are a vendor that produces a tool or has a service that is offered, do they have some non-trivial way for people to report vulnerabilities? This isn't necessarily a bug bounty program, although those are nice," Kuzma says. "Is there a way to let them know without blasting it out on the Internet? If a vendor doesn't have a way of doing that, that's a thing that would concern me greatly."

It's OK if vendors outsource triage of bugs to a third-party specialist, and bug tracking can be done through routine service tickets if bug reports are a clearly-defined procedure in the ticketing process, he says.

3. A Way To Get Your Customers' Risk Questionnaires Handled
"In this day and age, you probably have customers that want you as a vendor to them to fill out their risk questionnaires. Let's face it, they're silly [and] repetitive. No one likes doing them. You want to make sure that there's a sane process in doing that that doesn't involve a week in ticketing hell," Kuzma says.

Good enough much of the time, in Kuzma's view, is an NDA-protected FAQ available about the vendor's security operations center.

4. Evidence of a Recent Pentest
"You may want to ask the vendor when was the last time they had their organization itself pentested and the product itself pentested?" Kuzma suggests.

He'll go so far as to ask for a copy, but he views an executive summary as good enough in many cases. "I wouldn't downcheck them if they're unwilling to share the full report," he says. "If they're willing to open the doors and let you peek your head in, that shows a level of maturity."

Kuzma had one final piece of advice for MSPs who may struggle to get answers to their security questions: Leverage your relationship with the salesperson who is trying to get you to sign up for the service. If their commission depends on your satisfaction, you're more likely to get answers.

"Your sales point of contact that you may be in touch with is probably your greatest ally in trying to get information," he says. "They'll start asking questions to make you happy."

Posted by Scott Bekker on February 02, 2021


Featured

  • IBM Giving Orgs a Governance Lifeline in Agentic AI Era

    Nearly overnight, organizations are facing brand-new challenges caused by self-directed AI systems (a.k.a. agentic AI). Big Blue is extending them some help.

  • Microsoft Launches Integrated E-mail Security Ecosystem for Defender for Office 365

    Microsoft is expanding its e-mail security capabilities with the launch of a new Integrated Cloud Email Security (ICES) ecosystem for Microsoft Defender for Office 365.

  • Microsoft Joins Workday's AI Agent Partner Network

    Microsoft has become a key partner in Workday's newly launched AI Agent Partner Network, aligning with other industry leaders to integrate AI agents into enterprise workforce systems.

  • LinkedIn CEO Ryan Roslansky To Lead Microsoft's Productivity Initiatives

    In a strategic leadership realignment, Microsoft has appointed LinkedIn CEO Ryan Roslansky to oversee its consumer and small business productivity software division, encompassing Microsoft 365, Teams and AI-driven tools like Copilot.