Information security is one of the fastest-growing industries in the world. In the last five years, there has been a boom of start-up cyber security companies serving regional markets and small- and medium-sized businesses. Having been in business for more than ten years now, we have expanded our capabilities and reach as the demand for our kind of experts has skyrocketed. Others haven’t followed suit.
In our local market, we have seen reputable security companies vanish. These were excellent companies that were known for good work, good processes, and good people.
What happened? Were they acquired or merged with another company? Did they just fold? Did they stop investing in themselves?
In a time where demand for services like FRSecure’s and these other cyber security companies’ is the highest it’s ever been, it’s surprising to see this happening to so many.
It dramatically impacts the organizations they supported, too.
We often tell our team that to buy from us, people need to feel like we are knowledgeable, but (arguably more importantly) they also need to like us. The way businesses like ours work, we usually assign the same analyst to work with a customer throughout their journey with us.
This gives customers the ability to really get to know their analysts, but also for the analysts to get to know the business they’re working with. In both scenarios, that provides an emotional connection and a true feeling of partnership.
When cyber security companies go out of business, that relationship with an analyst that has served you over many projects is lost. It can be shocking and disheartening.
So, as a customer of these companies, it’s important to know what to do when your trusted security partner vanishes. Here are some scenarios and how you can deal with them.
Scenario 1: Cyber Security Companies Going out of Business
Sometimes great practitioners start businesses only to realize that they love the work but dislike the business end of things. Some run out of money or overextend themselves until they lose it all. Regardless of the situation, you’re left in the cold, and there’s really not much you can do about it.
There are a few things that you should do right away, though.
- Stop all payments and send a formal notice of cancellation to the business address. Consult legal counsel on this and similar actions.
- Contact whoever you can to inquire about any information of yours that may exist in their systems. Try to recover/destroy that information.
- Contact the analyst you were working with. They may be willing to complete similar work on a contract basis while they are looking for a new opportunity.
- Find an alternative solution. In the event you can’t find your analyst or they have to leave the project mid-stream, work on getting another provider.
Scenario 2: Cyber Security Companies Getting Acquired or Merging with Another Company
This one is tricky.
There’s a lot of things to think about in this situation.
Who acquired them? Are they reputable? Are they even in the same business? Are they local? Do you want to be in business with the new entity?
In our experience, there will be upheaval and turnover, so it’s safe to assume your “regular” analyst team/testers will move on at some point. As much as you are promised things will get better, unfortunately, risk management tends to fall through the cracks, and your project may be delayed or diluted in some way. Either way, here are a few things to consider.
- Ask for an in-person meeting with the new regime. Ensure that someone you know personally from the acquired company (such as your analyst) is included. If your personal contact doesn’t show (or they deny your request), that may be a sign of mass exodus and should prompt more questions for you to ask.
- During the meeting, ask very specific questions referencing the discussed deliverables and timelines of your current or future-contracted engagements.
- Ask all the questions you can think of regarding the methodology and substance of service you were sold. If there’s any waffling or misunderstanding, run.
- Due to the potential for turnover, insist you be provided the same or higher level of analyst for your project. Don’t get thrown to the junior-level wolves.
- Ask what other services the company provides. Your formerly product-agnostic security company may now be in the business of trying to sell you IT services or blinky lights to solve all of your security “problems.”
- If you’re uncomfortable in any way, ask for the contract to be terminated or for a credit toward future services you believe them capable of providing.
Scenario 3: Cyber Security Companies Going in a “Different Direction”
This one is ugly but realistic.
Service levels dropping? Long-time, trusted employees leaving? Being pushed products and services you don’t need or want?
Your trusted security company may be under new management or received investment dollars to bolster security solutions or products outside the services you are engaged in. There’s no recommendation for this scenario other than to run as fast as you can. This is not a situation where things may get better.
Obviously, it’s a good idea to avoid these situations, but it’s hard to see them coming.
Try to be cognizant and wary of companies with short histories and a lack of references in your space.
In an industry where people’s security, privacy, and protection hangs in the balance of getting it right or wrong, take the time to understand the character, tenure, and fit of your security services partner in addition to their capabilities.
In a time and industry where rapid changes are the norm, it’s necessary to stay in-tune with the things that guide your cyber security vendor decisions.
Do what you can to recognize these scenarios and understand what the pros (if any) and cons are of the new situation.
When you’re talking about protecting trusted, sensitive, and confidential information, your provider must be an experienced and trustworthy resource—and you can never be too careful selecting the right one.