If your business lacks the resources, time, or expertise to develop and implement a solid cyber security strategy, hiring a security consultant should be on your short list of priorities. A seasoned security consultant is a tremendous asset to your business. They bring years of experience across many industries and many clients and are knowledgeable of all the latest threats, attack detection methods, framework requirements, and response strategies.
But if you’re already a little bit at sea when it comes to security, how do you begin? What services do you need? Who is the right hire? And what are some red flags?
Here are 7 questions to ask when you’re hiring a cyber security consultant.
Are we ready, willing and able to make changes?
Step one is a long hard look in the mirror. If your business isn’t ready to act on the advice of a consultant, hiring one is pointless. Your budget should include a line item for consultant fees as well as the potential costs associated with recommended changes. And remember that upgrades or process changes will cost you in terms of employee hours too. Someone on staff will spend time helping your consultant understand your existing systems and incorporating changes. And all staff will need to be trained on any changes with global implications.
What level of security do you think I need?
At the beginning of an initial consultant meeting, the answer should be that they don’t know yet. Yes, you should expect a consultant to have some sense for your industry and its general needs around security. But a red flag is the consultant who arrives with a suite of tools ready to sell you as a total package, one-size-fits-all solution. Without completing a risk assessment (or analyzing an existing one), your consultant can’t right-size a solution for your business.
What regulations or security frameworks are important for my organization?
Unlike the previous question, where a consultant should not be making any assumptions early in the relationship, a consultant should have a sense for what framework(s) your business should be following to meet compliance needs.
Security services vendors need to have a comprehensive understanding of frameworks and regulations such as PCI DSS, NIST, and GDPR, as well as any state laws related to data breaches (which are always evolving).
Who have you worked for in the past?
No one buys anything these days without reading the reviews first, right? There won’t be any Amazon reviews or Uber ratings for a potential security consultant. However, getting a list of their current and former clients will allow you to do the digging you need to do. Reach out to a few of their clients and confirm the skills and competency of the vendor. Ask what worked and what was challenging. Ask if they were satisfied with the solutions proposed and if they were implemented well.
Will you provide cost-benefit analysis for recommended solutions?
If you’re considering a security consultant, you should have enough budget for both their fees and any solutions they might propose for implementation. But budgets aren’t limitless and you’ll surely have some tough decisions to make. A good consultant will help you understand the total cost of recommended solutions and the return on investment for each.
Who will do the actual work?
Ask your potential consultant how the work will actually get done. If the consultant is going to review existing policies and practices and simply make recommendations for your staff to implement, that should be reflected in the cost of the engagement.
If you have no on-staff security or need to supplement an existing team, ask who from the consulting firm will be doing the work. The person making the sales pitch and the person sent to do the work may not be one and the same. Ask for the certifications of each person who’ll be on your project.
How do you handle communication with clients?
Security consultants can be a secretive bunch. Ask up front how a potential vendor typically handles communication.
A good vendor will have a carefully outlined process with steps along the way for checking in on progress. Look for the same quality project management practices that you would expect in any business arrangement: a kickoff meeting with stakeholders; scope and budget documentation; a work breakdown schedule; a communication plan; regular status updates; and a project close meeting.
If your business is in the market for a security consultant, please reach out to Asylas. We are an empathetic and relational firm, focused on a personalized approach to security. Contact us at firstname.lastname@example.org or 615-622-4591.