Selecting a Cybersecurity Partner: Checklist

Selecting the right cybersecurity partner is one of the most important decisions for Swiss SMEs. The market is opaque, services vary greatly, and quality differences are difficult for laypersons to recognise. A wrong partner can be worse than none at all, as it creates a false sense of security.

According to a ZHAW study, 34% of Swiss SMEs are dissatisfied with their current security service provider but don’t switch because the process seems too complex. This guide provides a structured checklist for partner selection and shows what really matters.

Before the Search: Clarify Your Requirements

Before evaluating partners, you need to know what you need. Many SMEs begin the search with vague ideas and then are guided by sales arguments rather than enforcing their own requirements.

Define Your Needs

Which services do you need?

  • 24/7 Security Monitoring (SOC)?
  • Incident Response?
  • Penetration Testing?
  • Security Consulting and Strategy?
  • Managed Security Services (MSS)?
  • Compliance Support (ISO 27001, etc.)?
  • Awareness Training?
  • Forensics in emergencies?

How full should support be?

Which systems and environment?

  • On-premises, cloud, hybrid?
  • Which platforms (Windows, Linux, Mac, Mobile)?
  • Legacy systems with special requirements?
  • Operational Technology (OT) / ICS?

Which industry specifics?

  • Regulatory requirements (FINMA, healthcare, etc.)?
  • Industry-typical threats?
  • Special compliance requirements?

What is your budget?

Involve Internal Stakeholders

Cybersecurity affects multiple areas:

  • IT: Technical compatibility, integration
  • Management: Strategic alignment, budget
  • Legal/Compliance: Regulatory requirements, contract design
  • Finance: Pricing, ROI
  • Operations: Practical impacts on daily business

Get input from all relevant stakeholders before defining requirements.

Evaluation Criteria: What to Look For

1. Expertise and Specialization

Breadth vs. Depth:

  • Generalists offer broad spectrum but often less depth
  • Specialists offer expertise in niches but don’t cover everything
  • What do you primarily need?

Industry Experience:

  • Does the partner have experience in your industry?
  • Do they understand industry-specific threats and regulations?
  • Can they provide references from your industry?

Technology Expertise:

  • Does the partner know your technology landscape?
  • Do they have certifications for your platforms (Microsoft, AWS, etc.)?
  • Experience with your specific systems?

Size Matters:

  • Are you an important customer or one of hundreds?
  • Too small: Possibly not all services available
  • Too large: Risk of getting lost, less flexible processes

2. Certifications and Standards

Organisational Certifications:

  • ISO 27001: Shows systematic information security management
  • ISAE 3000/SOC 2: Confirms controls and processes
  • PCI DSS: If payment card data relevant
  • Industry-specific certificates: Depending on your industry

Personnel Certifications:

  • CISSP (Certified Information Systems Security Professional)
  • CISM (Certified Information Security Manager)
  • CEH (Certified Ethical Hacker)
  • GIAC Certificates (various specializations)
  • ISO 27001 Lead Auditor/Implementer
  • OSCP (Offensive Security Certified Professional) for pentesting

Swiss Context:

  • Understanding of Swiss data protection law (revDSG)?
  • Experience with Swiss regulators (FDPIC, FINMA, etc.)?
  • German-speaking experts available?

As an example of a provider meeting these criteria, RedTeam Partners holds CREST certification, operates from Switzerland, and has deep experience with Swiss regulatory requirements across financial services, healthcare, and critical infrastructure.

3. Service Level Agreements (SLAs)

SLAs define what you can expect. Vague SLAs are a red flag.

Response Times:

  • How quickly does the SOC respond to alerts of various severities?
  • Critical: < 15 minutes?
  • High: < 1 hour?
  • Medium: < 4 hours?

Availability:

  • 24/7/365 availability?
  • Planned maintenance windows?
  • What happens during outages?

Performance Metrics:

  • Which KPIs are measured (Detection Rate, False Positive Rate, Mean Time to Respond, etc.)?
  • How is reporting conducted?
  • Access to dashboards and metrics?

Escalation:

  • Clear escalation paths defined?
  • Who is reachable during critical incidents?
  • Are there named contacts or ticket system anonymity?

Consequences for SLA Violations:

  • Service credits?
  • Contract termination rights?
  • Or just empty promises?

4. Technology and Tools

Which tools does the partner use?

  • Leading, recognised solutions or proprietary, unknown tools?
  • SIEM: Splunk, Elastic, Microsoft Sentinel, Chronicle?
  • EDR: CrowdStrike, SentinelOne, Microsoft Defender?
  • Is technology modern or outdated?

Integration:

  • How does the solution integrate into your environment?
  • Agents required? Cloud-based?
  • Compatibility with your systems?

Vendor Lock-in:

  • How dependent do you become on proprietary solutions?
  • Exit strategy available?
  • Can you take your data with you?

Innovation:

  • Does the partner invest in new technologies (AI/ML, automation)?
  • Or do they rely on outdated approaches?

5. SOC Quality (for Managed Services)

If you’re booking SOC monitoring, the quality of the Security Operations Centre is crucial.

Location:

  • Where is the SOC physically located?
  • Data stays in Switzerland / EU?
  • Onshore, nearshore, or offshore?

Staffing:

  • Own employees or subcontractors?
  • Analyst qualifications?
  • Turnover rate (high turnover is red flag)?
  • Multi-tier analyst model (L1, L2, L3)?

Languages:

  • German-speaking analysts available?
  • Only English, or other languages too?
  • Important for communication in crises

Processes:

  • Documented, standardised processes?
  • Playbooks for various incident types?
  • Continuous improvement?

Threat Intelligence:

  • Which Threat Intelligence feeds does the partner use?
  • Active threat hunting or only reactive alerts?
  • Sharing of insights between customers (anonymized)?

6. Incident Response Capabilities

Incident Response is the moment of truth. How well is your partner prepared?

Retainer vs. Ad-hoc:

  • Is Incident Response included in standard service?
  • Or additional costs during incidents?
  • Retainer models for guaranteed availability?

Experience:

  • How many incidents has the team handled?
  • Which types (Ransomware, APT, Data Breach, etc.)?
  • Can you see case studies (anonymized)?

Forensics:

  • In-house forensics capacity?
  • Partnerships with forensics specialists?
  • Court-admissible evidence preservation?

Recovery Support:

  • Only detection and analysis?
  • Or also eradication, recovery, and lessons learned?

7. Communication and Collaboration

Technical competence alone is not enough. The chemistry must be right.

Responsiveness:

  • How quickly do they respond during evaluation?
  • Good indication for later collaboration

Transparency:

  • Open communication about capabilities and limitations?
  • Or only marketing promises?
  • Willingness to answer difficult questions?

Reporting:

  • Regular, understandable reports?
  • Technical details AND executive summary?
  • Frequency (monthly, quarterly)?

Proactivity:

  • Does the partner contact you proactively with recommendations?
  • Or only reactive during problems?

Cultural Fit:

  • Do working style and culture match?
  • Formal vs. informal?
  • Partnership vs. purely transactional?

8. References and Reputation

Customer References:

  • Does the partner offer reference customers?
  • Ideally from similar industry and size
  • Speak with at least 2-3 references

Questions for Reference Customers:

  • How long have you been working with the partner?
  • What do you appreciate most?
  • What could be better?
  • Were there critical incidents? How was the response?
  • Would you recommend the partner?
  • How is communication in daily business?

Online Reputation:

  • Reviews on platforms (Gartner Peer Insights, G2, Trustpilot)
  • LinkedIn presence and activity
  • Thought leadership (blogs, whitepapers, conferences)?

Market Presence:

  • How long in the market (stability)?
  • Growth (success signal)?
  • Financial stability (difficult to verify for private companies)?

9. Pricing and Contract Model

Price Transparency:

  • Clear, understandable pricing structure?
  • Or vague “depending on” formulations?
  • All costs transparent or hidden additional costs?

Pricing Models:

  • Per User/Device (typical for endpoint security)
  • Per Month Fixed (for SOC services)
  • Per Incident (for IR retainer)
  • Hybrid models
  • What fits your business model?

Contract Term:

  • 1 year (standard, good balance)?
  • 3 years (often cheaper but less flexibility)?
  • Monthly cancellable (more expensive but maximum flexibility)?

Notice Periods:

  • 3 months common
  • Auto-renewal or active extension?

Price Adjustments:

  • How are price increases handled?
  • Indexed (e.g., to inflation)?
  • Arbitrary or transparent?

Scope Creep:

  • What happens when scope grows (more users, systems)?
  • Clear scaling models?

10. Data Governance and Privacy

Data Location:

  • Where are your logs and data stored?
  • Switzerland? EU? USA?
  • Does this meet your compliance requirements?

Data Access:

  • Who has access to your data?
  • Only analysed for security purposes?
  • Or also for other purposes (analytics, marketing)?

Data Retention:

  • How long is data stored?
  • What happens after contract end?
  • Is data deleted or returned?

Subcontractors:

  • Does the partner use subcontractors?
  • Where are they located?
  • Do you have transparency and control?

Data Processing Agreement:

  • Required according to revDSG
  • Clearly formulated with all necessary elements?

Compliance Evidence:

  • ISO 27001, SOC 2 reports available?
  • Willingness for customer audits (for larger contracts)?

Red Flags: Warning Signs in Partner Selection

Certain signals should make you pause:

1. Unrealistic Promises: “100% security guaranteed” - Serious partners know absolute security is impossible.

2. Pressure and Aggressive Sales Tactics: “Offer only valid today,” “You MUST decide now” - Serious partners give you time.

3. Vague on Specific Questions: When technical detail questions are answered evasively or only with marketing language.

4. No References: “Our customers want to remain anonymous” - all of them? Unusual.

5. Outdated Technology: When primarily working with 5-10 year old solutions.

6. Missing Certifications: For security service providers, ISO 27001 is a minimum standard today.

7. Opaque Pricing: “We can’t say that yet,” “Depends on many factors” - for standard services, pricing should be clear.

8. Poor Onboarding Experience: If evaluation is already chaotic, operations won’t be better.

9. One-Size-Fits-All: “All our customers get the same” - individual requirements are ignored.

10. No Exit Strategy: “We don’t need to think about that” - serious partners also plan for contract end.

The Evaluation Process: Step by Step

Phase 1: Longlist (Weeks 1-2)

Research:

  • Google, industry associations, recommendations
  • Identify 8-12 potential partners

Initial Filtering:

  • Website check: Serious? Relevant?
  • Basic criteria met (size, location, services)?
  • Reduce to 4-6 candidates for shortlist

Phase 2: Shortlist and RFI (Weeks 3-4)

Request for Information (RFI):

  • Send standardised RFI to shortlist
  • Questions about services, certifications, references, approximate pricing
  • Set deadline (2 weeks)

Analysis of Responses:

  • Completeness and quality
  • Responsiveness (how fast, how professional)
  • Fit to your requirements
  • Reduce to 2-3 finalists

Phase 3: Deep Dive (Weeks 5-7)

Request for Proposal (RFP):

  • Detailed briefing to finalists
  • Specific requirements, use cases
  • Request detailed proposal incl. pricing

Presentations:

  • Each finalist presents proposal (2-3 hours)
  • Partner’s technical team should be present, not just sales
  • Ask hard questions, request demos

SOC Visit (optional):

  • For large contracts: Visit the SOC
  • See the work environment
  • Speak with analysts

Reference Checks:

  • Speak with reference customers of each finalist
  • At least 2 per finalist

Technical Deep Dive:

  • If necessary: Workshop with your IT team and partner’s technical experts
  • Clarify integration, technical details

Phase 4: Decision and Negotiation (Weeks 8-10)

Evaluation Matrix:

  • Objectify decision with weighted criteria
  • Scores for each finalist
  • But: Gut feeling and cultural fit also important

Negotiation:

  • Prices are often negotiable, especially for multi-year contracts
  • SLAs, scope, termination clauses
  • Aim for win-win, don’t “squeeze” partner

Consider Pilot Phase:

  • For large commitments: 3-6 month pilot
  • Reduced scope, option to extend
  • Minimises risk

Contract Review:

  • Have legal review contract
  • Especially: Liability, data protection, exit clauses, SLAs

Decision:

  • Communicate transparently with all stakeholders
  • Even rejections professional and appreciative

Phase 5: Onboarding (Weeks 11-16)

Kickoff:

  • Joint kickoff workshop
  • Get to know the teams
  • Clarify expectations and processes

Technical Onboarding:

  • Integration of systems
  • Installation of agents/sensors
  • Testing and tuning

Process Alignment:

  • Communication channels
  • Escalation paths
  • Reporting rhythms

Initial Assessment:

  • Partner should conduct baseline assessment
  • Identify quick wins and risks

Contractual Safeguards: What Should Be Included

Critical Contract Clauses

Scope of Services:

  • Exact definition of what is delivered
  • Included and excluded services
  • For changes: Change Request process

Service Level Agreements:

  • Measurable KPIs
  • Response and Resolution Times
  • Consequences for non-compliance

Pricing:

  • All costs transparent
  • Scaling (more users, systems)
  • Price adjustment mechanisms

Data Protection:

  • Data processing agreement according to revDSG
  • Data location and access
  • Subcontractor regulations

Confidentiality:

  • Mutual NDA
  • Handling of sensitive information

Liability and Indemnification:

  • Liability limits (often limited to annual contract value)
  • Partner’s insurance proof
  • Indemnification for IP violations, data protection violations

Term and Termination:

  • Duration
  • Notice periods
  • Termination for Cause (for serious violations)
  • Termination for Convenience

Transition Assistance:

  • What happens at contract end?
  • Support in transition to new partner
  • Data return/deletion

Audit Rights:

  • Your right to audit partner (for larger contracts)
  • Or at least receive SOC 2 reports

Insurance:

  • Partner should have Cyber Liability Insurance
  • Errors and Omissions (E&O) Insurance
  • Evidence on request

After Selection: Successful Collaboration

The partnership only begins after contract signing. For successful collaboration:

Regular Reviews:

  • Quarterly Business Reviews
  • Discuss: Performance, incidents, improvements, roadmap
  • Mutual feedback

Clear Communication:

  • Fixed contacts on both sides
  • Regular touchpoints
  • Open problem discussion

Common Goals:

  • Partner is extension of your team, not external service provider
  • Define common security goals
  • Celebrate successes together

Continuous Optimisation:

  • Adjust processes based on learnings
  • Evaluate new services
  • Keep technology stack up-to-date

Escalation Management:

  • When something doesn’t work: Escalate, don’t stay silent
  • Most partners want to solve problems
  • For systematic problems: Use contractual remedies

Periodic Re-Evaluation:

  • Every 2-3 years: Sound out market anew
  • Does partner still fit current needs?
  • Don’t automatically switch, but stay informed

Special Cases

For Very Small Companies (<10 employees)

Many large MSSPs are not interested or too expensive. Options:

  • Specialized SME security providers
  • Managed Service Provider (MSP) with security focus
  • Virtual/Remote Security Services
  • Shared SOC Services (multiple small customers shared)

For Regulated Industries

Additional requirements:

  • Industry-specific certifications
  • Understanding of regulations
  • Possibly on-premises instead of cloud
  • Extended audit rights

For International SMEs

  • Multilingual support
  • Multiple jurisdictions (data protection)
  • Follow-the-sun SOC (24/7 different time zones)
  • Local presence in countries

Costs of Partner Evaluation

Don’t underestimate the effort:

Internal Resources:

  • 80-120 hours for careful process
  • Multiple people involved
  • Opportunity costs

External Support (optional):

  • Security consultant for RFP process: CHF 8,000-15,000
  • Makes sense for large contracts or lack of internal expertise

Due Diligence:

  • Technical tests, reference checks
  • CHF 5,000-10,000

Total Costs: CHF 15,000-40,000 for thorough process

But: For multi-year contracts over CHF 100,000+, careful selection is worthwhile!

Invest Time in the Right Choice

Selecting a cybersecurity partner is a strategic decision with long-term impacts. Frequent changes are complex and can create security gaps. Invest the time for a structured, careful process.

Use this checklist as a guide, adapt it to your specific needs, and don’t be dazzled by marketing promises. The right partnership can transform your security, the wrong partner costs money without real value.

In the end, it’s a mix of objective criteria (certifications, references, SLAs) and subjective assessment (trust, cultural fit, communication). Both dimensions are important for long-term success.

Back to the Cybersecurity Complete Guide