Should you use a single vendor? Or several?

Striking the right vendor balance

Choosing the right cybersecurity vendor to partner with your business is vital as threat actors find new and creative ways to penetrate defenses. It's crucial to consider how well your chosen cybersecurity vendor(s) can adapt to these changes.

With endless cybersecurity vendors on the market, each with varying sets of skills, choosing the right one comes with its own set of challenges. Should you choose a single vendor with the skills to handle everything from vulnerability scanning to managed services? Or is it better spread those skills across multiple vendors?

And as your business grows, your cybersecurity needs may evolve. It's essential to consider how well your chosen vendor, or vendors, can scale their services to accommodate your expanding operations.

Let’s weigh the options.

Attack, maintain, defend

A solid cyber defense strategy requires businesses to look at all angles. While one group actively attacks defenses to find vulnerabilities, another should be monitoring and managing security devices and systems. And still a third group should be handling defenses through advisory and assessment.

Some specialized cybersecurity vendors can handle all three areas — and handle them well. A single vendor should be able to provide penetration testing, managed services and remediation using different skilled and trained experts in each department.

If a vendor says they can provide all three, but has the same people working across multiple, or all, departments, operations can get tricky. While one group is building and maintaining, the other is destroying, and you can’t have the same person doing both things well.

With multiple cybersecurity partners you achieve vendor diversity. Multiple vendors can validate each service, providing checks and balances on the IT environment.

One vs. many

Working with a cybersecurity partner is exactly that: a partnership. Businesses should constantly maintain and assess their partnerships. Is your vendor consistently keeping cyberthreats at bay? Are they patching vulnerabilities effectively?

With a single vendor, you’re managing one relationship, which comes with benefits:

• Transaction costs will be lower.
• It’s easier to procure one partner versus three.
• In that ongoing relationship, you’re managing one vendor instead of several, making operations easier across the board.
• When something isn’t working right, you go to one place to get it resolved.

With multiple vendors, you retain checks and balances. If you have a tolerance for working through multiple approaches, you can build a better solution by sourcing three ideas instead of one. However, this leaves you with more work and more avenues to navigate.

Challenging the status quo

If you’ve been working with a single cybersecurity provider for many years, you might be worried things have gotten stale — this is a valid concern. The same provider might have inherited biases over time with preconceived notions about your organization.

Will the single partner get complacent? How are they staying relevant to you? How are they looking for ways to continue increasing the value you receive? You might consider bringing in someone new for a fresh perspective and different set of eyes.

If your single vendor is providing managed services, they should also:

• Ensure you’re staying aligned with business strategy by providing annual technology road maps.
• Make sure you’re meeting or exceeding expectations using quarterly business reviews.
• Readily identify areas for service improvement.

If your partner is penetration testing, try to change up resources every two to three years (assign a new tester). There is a benefit to using the same person two years in a row — in year one they’ll find the weaknesses and in year two they’ll ensure you fixed those weaknesses. But by year three, it’ll be time to bring in a fresh perspective to look for new vulnerabilities.

Alternatively, using more than one vendor allows for challenging perspectives. If one partner is handling managed services, you can hire a third party to handle the vulnerability assessment to find gaps in the managed services provider’s system.

Vetting vendors

Whether you choose to work with one vendor or multiple, it’s essential you vet them. Ask the following questions:

• What’s your process to develop specializations?
• Are the same resources handling your managed services, vulnerability scanning and penetration testing? Or are they the same team within your practice?
• As a managed services provider, how do you validate your own work and ensure you’re properly securing my organization?
• How do you create a collaborative environment working with multiple service providers in my organization?

There is no perfect answer when choosing cybersecurity partners. What you should decide is whether you need the diversity of thought from multiple service providers or the ease of one solution provider that has the bench strength to handle all aspects for you.

Ultimately, the decision between a single cybersecurity vendor or multiple providers depends on your specific business goals, risk tolerance and resources.

How Wipfli can help

Wipfli’s cybersecurity teams offer infrastructure managed services, cybersecurity managed services and cybersecurity advisory and assessment. We have the bench strength to rotate our team to bring your business consistently fresh perspectives. Learn more about our cybersecurity services.