Questions to ask a small business cybersecurity provider

(Maximizing security while not going broke!)


 There are multiple types of third party cybersecurity providers, including:

  • Cybersecurity Consultants and Virtual CISOs (Chief Information Security Officers) 

    • Generally used for a limited period of time to help bootstrap a customer's cybersecurity capabilities. 

  • Managed Service Providers (MSPs)

    • Companies that remotely manage a customer's IT infrastructure and/or end-user systems, typically on a proactive basis and under a subscription model, and may also provide cybersecurity services 

  • Managed Security Service Providers (MSSPs)

    • A subset of MSPs that specifically focus on providing cybersecurity services. 


There are a few important things to consider when deciding on doing business with any IT service organization that also provides security services. Obvious questions around cost, past performance, and checking of legitimate references are a good start but here are a few additional questions that you may want to ask your cybersecurity provider before committing to their services long term.

(For all providers)

  • After describing your business ask them explain where they think the greatest risk to your business is, and how they would best protect your operations 

    • Are they aware of any regulatory requirements for your specific industry?

    • What are they and how would they help you meet these requirements?

  • What is your experience with preventing, detecting and responding to cyber incidents?

    • Describe a time where you were able to prevent or recover from a cyber incident?

  • Do you offer training for employees in order to protect against less technical (human manipulation / social engineering) based attacks?

  • Are you experienced with the specific technology and applications we are running?

  • How would you test for weaknesses in our environment?

  • How would you train in house IT staff to improve security of the organization?


(More specific to MSPs and MSSPs)

  • Are you willing to let me “test” drive your service? (for MSPs and MSSPs)

  • Do you have insurance?  What does your insurance cover?

  • How will you know if we are compromised?  In detail describe the escalation plan for dealing with this knowledge.  What if it happens on a weekend and you can’t get a hold of anyone?


Additional Resources: