Why choosing wrong is worse than doing nothing
A weak cybersecurity partner is more dangerous than no partner. They create a false sense of safety, they hold privileged access into every system you own, and when the incident happens they are usually the first thing that breaks. South Africa's regulatory environment (POPIA, Companies Act, sector-specific rules) means a breach isn't just embarrassing — it's now a reportable event with real financial teeth.
The 12 questions to ask before you sign
- Who is actually watching the alerts, and when? Names, shifts, response-time SLA in minutes — not "our team".
- Show me a real incident report you produced last quarter. Redacted is fine. If they can't, they haven't handled one.
- What is your MTTR (mean time to respond) for a P1 alert? Anything above 30 minutes for a P1 is a reseller, not an operator.
- How do you protect your own environment? MFA everywhere, PAM, ISO 27001. Their weakest link becomes yours.
- Which frameworks do you align our controls to? NIST CSF 2.0, CIS Controls v8, ISO 27001. "We use best practice" isn't an answer.
- What happens in the first hour of a ransomware event? They should describe a runbook, not improvise.
- Do you test backups by actually restoring them? Monthly at minimum, evidence in the report.
- How do you handle offboarding — ours and theirs? The exit process reveals more than the sales pitch.
- What's your policy on paying ransoms? Correct answer: we don't, and we help you rebuild.
- Which of these tools do you deploy, and why? EDR, email security, identity protection, DNS filtering, MFA, backup, awareness training. Missing categories = missing coverage.
- Are you cyber-insured, and to what limit? Ask for the certificate. R25m+ is the working minimum.
- Can we speak to a client of similar size and sector? Any real partner has three references ready.
Red flags — walk if you see two or more
- "We use AI to detect everything" with no human on the other end.
- Free assessment that just runs a vulnerability scanner and prints a PDF.
- Refuses to name individual analysts, or the analyst is offshore in a timezone that doesn't overlap SA business hours.
- No ISO 27001 or SOC 2 of their own. They can't secure themselves.
- Everything is billed as a "project" — no ongoing monitoring included.
- Pushes you into a 36-month contract with no exit terms.
- Cannot articulate the difference between antivirus, EDR and MDR.
How the contract should be structured
- Base monthly fee per user or per endpoint covering monitoring, response, tuning, reporting.
- Tooling either pass-through at cost or bundled — but always itemised so you know what you own.
- Response SLA in minutes for P1, hours for P2, days for P3 — with credits if they miss.
- Monthly report covering alerts, incidents, patch compliance, backup restores, user risk score, top 3 recommended actions.
- Quarterly business review with a security-cleared human, not the account manager.
- Exit clause: 30–60 days notice after year one, full data export, revoked access documented.
Frequently asked questions
What is the difference between a security reseller and a real security partner?
A reseller sells you a product (Sophos, SentinelOne, Defender) and hands you a dashboard. A real partner actively monitors your environment, tunes the tool, responds to alerts within an SLA, and hunts for threats you didn't ask about. If nobody is watching the console at 02:00, you have a reseller.
Do we need SOC monitoring for a 30-person business?
You need monitored EDR/MDR. A full 24/7 SOC is usually overkill under 100 staff — but the endpoint tool must feed a mailbox and phone that a human actually watches, with a documented response SLA.
How much should cybersecurity cost us per user per month?
For an SA SME with baseline security done properly (EDR, email filtering, MFA-enforced, backup, monthly review) budget R180–R380 per user per month on top of your managed IT fee. Regulated sectors go higher.
What certifications actually matter?
For the partner: Microsoft Solutions Partner (Security), ISO 27001, and named individuals with OSCP, CISSP or SANS certs. For products, prefer tools that appear in the latest MITRE ATT&CK Evaluations and Gartner Magic Quadrant.
Is POPIA compliance the same as being secure?
No. POPIA is a legal framework about handling personal information. Security is the set of controls that make POPIA achievable. A partner should be able to speak both languages fluently.
How do we know the partner won't be the breach?
Ask for their own security posture in writing: MFA on every admin account, PAM tool for privileged access, ISO 27001 or SOC 2, and cyber-insurance certificate. Anyone who can't answer this immediately is the risk.
