Networking, MSP

10 Security Questions MSPs Should Ask Their Software Providers

Yellow question mark glowing amid black question marks on black background. Horizontal composition with copy space. Q and A concept.
Jennifer VanderWier, president and CISO, F1 Solutions
Jennifer VanderWier, president and CISO, F1 Solutions
John Hammond, Huntress

Amid continued software supply chain attacks, MSPs increasingly focus on proper RMM (remote monitoring and management) security conversations with their software providers. But it's time for MSPs to have that same conversation with all of their software suppliers.

What security-centric questions should MSPs ask their software suppliers? Here are 10 example questions from Jennifer VanderWier, president and CISO of F1 Solutions. She shared the tip list during the Right of Boom security conference in Tampa, in a session co-hosted by John Hammond of Huntress.

10 Security Questions MSPs Need to Ask Software Suppliers

1. Have you assessed your tool? Against what standard?

2. Do you have a remediation plan with timelines you can meet?

3. Has your product ever been breach?

4. Is multi-factor authentication (MFA) an option for your tool?

5. Can my vendor access our clients data? What controls are in place? And do you have a shared responsibility matrix in place that you can share with me?

6. What protections are in place to protect your code?

7. How many people are on your security team?

8. What are your limits of liability?

9. In what ways can I limit vendor access to sensitive data?

10. Do you have a disaster recovery plan, and when was it tested?

Same Question, Multiple People

Among the additional tips: Have multiple people in your MSP ask the same questions to multiple people at a software company. Then, compare the answers from each software employees to see if they align with one another.

One other parting question to ask: What is your communication plan in the event of a cyber issue? If the vendor doesn't have a clear, detailed answer to that question then don't use their software, VanderWier said.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.