Are your solutions built according to secure design principles? Secure design principles are a set of fundamental concepts upon which products are developed to be resilient against attacks. Proper implementation of secure design principles significantly reduces the risk associated with using a product. The solutions you rely on must be designed using these principles—especially given the recent increase in attacks on MSPs. Ask vendors to provide examples of how their products meet secure design criteria.

Is the cloud your solutions rely on secure? It’s all about implementation when it comes to cloud security, especially with products that rely on public cloud resources. When evaluating solutions, consider whether you are responsible for implementing the solution and how much risk that incurs. Does the vendor offer implementation assistance? Do they provide any assurance that cloud resources are adequately protected? What sort of authentication do they require? Do they shoulder any responsibility if something does go wrong? As an MSP, it is vital to consider the amount of risk you are taking on when implementing a cloud-based solution.

How have you invested in your security? Vendors that take cyber resilience seriously will have hardened their products against known attacks and implemented additional security measures to protect their customers. Regular patching, multi-factor authentication, best-practice configurations, and regular audits are just a few of these measures. Beyond making secure products, vendors should also set rigorous security objectives and use frameworks for advancing and maintaining their own security. Supply chain management is another important consideration. Ask vendors about their information security team, which security frameworks they use, if they have secured their own supply chain, and how they continuously improve their security posture. Do they have a SOC2 Type 2 certification? What is their process for remediating and verifying identified weaknesses? What sort of incident response do they have planned? What is their business continuity plan in case of an attack?

Do you conduct regular security testing and analysis? Vendors should conduct regular vulnerability assessments, pen tests, security audits and cyber risk assessments to ensure that their business and infrastructure are secure. This might mean internal testing or contracting with third-party testers to identify vulnerabilities and then remediating the results. Ask vendors about their security testing and analysis efforts. How frequently do they conduct tests to improve their security posture? What are their testing goals?

How do you help customers achieve cyber resilience? A technology vendor’s primary objective is to provide solutions that contribute to cyber resilience. However, achieving cyber resilience requires a holistic approach encompassing people, processes and technology. Vendors might provide cyber resilience education to MSPs via live events, videos, podcasts, peer group engagement, and a variety of other mediums, forums and content types. Ask vendors how they go beyond technology to assist their customers in their cyber resilience efforts.