*Reassuringly dull cyber security

Six questions to ask your provider before you sign up to CSaaS

Back
CSaaS questions

Cyber Security as a Service (CSaaS) offers a number of benefits to organisations that want the best possible defence against cyber attacks, without the headaches and resource demands of an in-house cyber security function.

But if you’ve decided that CSaaS is the route you want to take, how do you go about choosing an outsourced cyber security provider? Here’s six key questions to help you select the right partner for you.

Who are your technology providers and how do you evaluate their solutions?

Cyber security vendors are constantly improving their solutions to offer the highest levels of protection against modern cyber threats including phishing, ransomware, zero day, polymorphic malware and distributed denial-of-service (DDoS) attacks to name but a few. It can be hard to know which products you really need to protect your business, and to select the right technologies. An experienced managed service provider will choose its technology partners based on the proven efficacy of their solutions and independent corroboration.

Organisations should also make sure that their managed security service partner is endorsed by the NCSC and holds the highest accreditations themselves – such as ISO 27001, ISO 9001 and CREST.

How do you address the three fundamental pillars of an effective cyber security defence – process, people and technology?

Contrary to popular belief, cyber security isn’t just about having the latest tools and technologies at your disposal. That’s just one part of an effective defence strategy, and must be backed up by having the correct processes and user education programmes in place to make sure that information and online assets are managed correctly, and that users are unlikely to expose them as a result of a phishing or other social engineering attack.

How will we know how well protected we are?

Proving that the cyber security product or service you’ve invested in is actually delivering a return is one of the hardest things to do – if you don’t become the victim of a breach you assume it must be doing its job, if you do suffer breach you know that something, somewhere has gone wrong. The fact is, no cyber security solution can guarantee 100% protection against cyber attacks. But what CSaaS can do, and should do, is allow you to see exactly how well protected you are, precisely how well the service is performing, and what you can do to improve.

If and when a breach does occur, your service should also provide access to a Cyber Security Incident Response Team who will assess the extent of the breach (and make sure it isn’t still in progress) and guide you through the remediation and recovery process – including disclosing it to and liaising with the ICO on the organisation’s behalf, if required.

How much of a saving will we make when compared to the procurement and management of an in-house solution?

Any managed service provider worth its salt should be able to clearly demonstrate how its CSaaS solution is more cost effective than an in-house solution. It’s not just about saving on the cost of buying kit – the people costs such as hiring and training are a big part of the equation. Aside from that, you should also be looking for the value add that a potential provider brings to the table. Are their analysts professionally accredited? Do they offer penetration testing services and accreditations over and above their standard offering? How do they address data protection and the GDPR? Does their service require you to replace any existing cyber security investments that you may have already made and start again?

This last point is a really important one – most organisations already have some security technologies in place, even if it’s just basic anti-virus and email filtering. Make sure that whichever provider you opt for, they can pull in and analyse the data from all of your current technologies and tools.  The best CSaaS solutions will leverage your existing investments, rather than mandate that they should be replaced.

How do you ensure that we’re only subscribing to the service elements we need?

An organisation’s cyber security needs will inevitably fluctuate over time. Digital transformation initiatives, new product and service offerings, mergers and acquisitions and expanding into new geographies all represent increased exposure to cyber security attacks and require more advanced protection. Conversely, a global pandemic or restructuring may mean that cyber security can be scaled back. A reputable cyber security as a service provider should allow its customers to only consume (and pay for) what they need, when they need it.

How will you help us to improve our cyber security defences over time?

The techniques used by hackers and cyber criminals range from the relatively unsophisticated to the highly targeted and advanced. They evolve over time, and they adapt in order to try to subvert the countermeasures put in place to prevent them. Companies also change – and what might be an acceptable level of risk one day might not be by the following month. Whether your goal is to improve your cyber security posture immediately, or as part of an ongoing drive, you need to know the steps you can take and the impact they will have. Ensure you select a CSaaS provider who can deliver these insights, and partner with you to act on them.

The as-a-Service revolution is well and truly underway, and is only going to become more pervasive. It is only a matter of time before Cyber Security as a Service becomes the defacto method of protecting an organisation against modern cyber threats. Now is the time to do the research and assess which providers are best positioned to support your business – today and in the future.


Peter Bowers

Written by Pete Bowers
Pete Bowers is COO at norm. where he is responsible for the overall operational and financial functions of the business. He also oversees customer innovation and success, and plays a pivotal role in the ongoing development of cyber security and data protection services which deliver transparency and tangible value to norm.’s growing client base.

Appointing NormCyber as our virtual DPO has given Ferrero the best of both worlds – access to data protection experts who understand what we stand for as a business, without the hefty overheads usually associated with appointing an in-house DPO.

Harpreet Thandi
Regional Counsel, UK & Ireland, Ferrero

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager
Marmalade

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO
Perpetuum

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group