Buying cybersecurity is harder than it was a few years ago. The market is crowded, the language is overloaded, and a bad choice does not just waste budget — it adds hidden risk through a provider that becomes part of your attack surface. This guide gives you the questions that separate a capability that reduces risk from a product that merely ticks a box. Browse our services for context, but the questions apply to any vendor.
At a glance
- Buy capability, not tools: a licence is not an outcome; ask who operates it and to what standard.
- The provider is a third party: their dependencies, data handling and continuity become your risk.
- Map to your obligations: NIS2, DORA, ENS and ISO 27001 should shape the questions you ask.
Why buying cybersecurity is harder than it used to be
Two things have changed. First, much of the risk now sits in identity, cloud and the supply chain, so a point tool rarely solves the real problem. Second, the provider themselves is a dependency — if they fail, change terms, or are breached, you inherit the consequences. Good buying accounts for both.
What a good provider should bring today
Beyond features, a strong provider reduces the security burden on you rather than adding to it: secure defaults, a clear vulnerability management policy, honesty about what they do and do not protect, and useful transparency about architecture, hardening and dependencies. If a vendor cannot explain what they do not cover, that is itself an answer.
Questions on security by design
Ask whether the provider reduces or increases your security workload; whether secure configuration is reasonably solved by default; whether there is a clear vulnerability-management policy; whether they can state plainly what they protect and what they do not; and whether there is meaningful transparency about architecture and dependencies.
Questions on third-party risk and dependency
Treat the purchase as third-party risk: what critical dependencies sit behind the service; where data is processed, stored or replicated; what happens if the provider fails or changes terms; whether there is a continuity, contingency and exit plan; and how the provider assesses its own sub-providers. Their supply chain is now part of yours.
Questions on operation and response
Probe what "24/7" actually means in practice, what operational support is included, how changes, exceptions and incidents are handled, what visibility you will have, and whether the provider can genuinely operate across Microsoft 365, cloud, identity and hybrid environments. Many gaps hide in the difference between a monitoring dashboard and a managed SOC that acts.
Questions on compliance and governance
Ask whether the provider understands NIS2, DORA, ENS or ISO 27001; whether they can translate technical controls into evidence and traceability; whether contractual responsibilities are clear; and whether the service actually reduces risk or merely "covers the file". A GRC-aware provider saves you work at audit time.
Questions on real fit with your organisation
Two questions reveal maturity fast: is the proposal prioritised for your real context, and can the provider tell you what you should not buy yet? A vendor willing to talk you out of unnecessary spend is usually one worth trusting with the necessary spend.
Red flags when evaluating a provider
Watch for vagueness about what is and is not covered, "24/7" that turns out to be a ticket queue, no exit plan, no answer on sub-providers, and proposals that ignore your context in favour of a standard bundle. Any of these is a reason to slow down.
The bottom line
Buying cybersecurity well in 2026 means buying an operated capability, treating the provider as a third-party risk, and mapping every question back to the outcomes and obligations that matter to you. If you would like a straight, prioritised assessment of what you actually need, get in touch.