When people talk about cybersecurity they tend to focus too much on technology. Technology is a moat in cybersecurity – it is people and policy that make the castle. Cybersecurity should really be compared to emergency management.
If you go into any organization and ask a random employee what to do if the fire alarm sounds, they’ll likely know. Head to hallway A, descend staircase B, and exit through door C. Ask the same employee what to do in case of a ransomware attack, and they likely won’t know to disconnect the computer from the network and notify the security manager.
One of the reasons for this is that safety measures are mandated by OSHA, where cybersecurity is unregulated. This means that there is nothing to stop anyone from selling cybersecurity. A tattoo artist needs a license, but a cybersecurity provider doesn’t. The onus is on the customer to do due diligence and exercise due care.
Writing a Cybersecurity Technology RFP
Before you even write cybersecurity into your RFP, ensure that there is a designated security manager at your institution. Involve them in the process and make that person clear in the RFP. If it’s you, say so. If it’s someone else, include their name and title in the RFP so the provider knows. If there is a hierarchy, include all of the relevant players. This not only helps the provider, but it will help your organization to have each employee understand who to go to in a cybersecurity emergency.
Next, explain what your company does. What’s the mission? What’s the objective? Explain how your company is organized. Is it a C Corp, S Corp, LLC, or privately owned?
All of your needs are going to stem from what you provide. If you’re a retailer then you’ll want to keep customer credit card information secure. If you’re a manufacturer you’ll be more worried about internal documents around products. If you’re a healthcare institute you’ll be worried about patient medical information. If you’re an accounting agency it’s all about financial data.
For this next part, make sure the provider signs a non-disclosure agreement. Then tell them everything about your network. The good, the bad, and the ugly. Without a full picture of your network then they can’t fully secure it. They need to know how the network is configured, how everything is sub-netted, how the firewall is set up, what policies are like. They need a complete schematic to properly secure the network.
Technology is still important to cybersecurity, however. The technology out there is actually pretty good. Firewalls, advanced endpoint security, intruder detection systems (IDS), and deep packet inspection analysis tools, are all part of a strong cybersecurity portfolio. You may also want to invest in vulnerability scanning or penetration testing software to regularly test your network.
One of the things companies can look at is IPv6. It’s a steep hill to climb, but IPv6 is a next-generation internet protocol with security features built directly into it. Not only that, much of the malware that is currently circulating, especially automated malware, is designed to work with IPv4 and not IPv6. That won’t be the case forever, but a long-term security strategy could include upgrading the internal network to IPv6 to get ahead of the curve for now.
In any case, leave room for flexibility. Your provider will recommend the products they think best suit your business, and you can work with the provider to pick the perfect vendor.
Make sure to include how your employees work as well. If there is a large presence of remote employees on the network daily, they need to know. If there are BYOD devices or company-owned devices interacting with the network, they need to know. If there are IoT devices, sensors, or AV equipment connected to the network, they need to know. Anything connected is a potential entry point for an intruder.
Finally, express your needs for ongoing support. There needs to be a written incident response plan as part of the program. Will you need training for employees? Will you need policies and best practices put in place? Will you need the provider to design safety drills and protocols? Will you need assistance if and when an attack occurs? This is all possible with your cybersecurity provider, but they need to know up front in order to give you a proper bid that takes the cost of ongoing support into account.