16. Security Services and Products, which ones to choose
It is known that Information Security is made by PEOPLE, PROCESSES and TECHNOLOGY, exactly in this order, because PEOPLE and PROCESSES determine the necessary technological solutions.

It is known that Information Security is done by PEOPLE, PROCESSES And TECHNOLOGY, exactly in this order, because PEOPLE and PROCESSES determine the necessary technological solutions.

The evolution of the TECHNOLOGY computer science and the continuous? mutations? Cyber-criminals attack techniques push the market for Cybersecurity products and services to create new solutions at a frenetic pace and to enrich existing ones with functionality.

To orient oneself to understand which are the most suitable solutions for one's company, it is essential to have a solid foundation in IT and Security, to be updated on this market and to understand its language.

Otherwise, there is a risk of purchasing products and services that do not solve the truly important needs of the company or are unable to implement them because they are too complex and expensive for the resources available.

The Information Security Program coordinated by Fractional CISO (see 9. The Information Security Program) identifies the critical areas of the company, establishes the priority of interventions and which technological solutions are necessary.


To purchase a security product, such as a firewall, a software EDR (End-point Detect and Response) in addition to the purchase cost, it is necessary to understand the technical characteristics, the effectiveness, the requirements for its correct configuration and management, the applicability to the context of the company, the license terms, the management costs.


Very often small and medium-sized companies have internal resources measured if not lower than those they would need, therefore it becomes natural to outsource to specialized operators (MSP ? Managed Service Provider) Security functions that require specific skills, such as Vulnerability Test, Penetration test, management EDR, server monitoring, SOC (Security Operation Center) etc.

In these cases it is necessary to identify the suitable partner for the company, not only in economic terms, but in terms of the service offered (it must be what is really needed), guaranteed service levels (SLA), reporting to check the operation and effectiveness of the service (Key Performance Index - KPI, Key Risk Index - KRI).

In addition to a clear service contract it is imperative that the dialogue between Company and MSP both bidirectional and continuous: to calibrate the service, solve problems, adapt it to changes in the company or in the operating context.

These activities are also in the radar of the Fractional CISO from CISOaaS-it.