Significant losses can occur if you choose your information security consultants at random and have no clear plan and strategy of working with them. Here is a procedure for selecting a consultant, working with them, and controlling their performance throughout the duration of your project.
Efficient work means clarity of expectations on both sides and proper controls at every step of the way. Even having the best intentions and your interests at heart, information security consultants can go off-track in their eagerness to help.
Instead of focusing on your business priorities, they might focus on what they believe is best from a technology point of view.
The results could be suboptimal, because a strict security measure can be safe from hackers, but harm your business performance.
Establish clear responsibilities when working with information security consultants
Who does what?
Define all significant points and questions in this blog post on paper. You don’t want to discover later on that your IT admin is actively refusing to comply with the recommendations given (and paid for!) by your information security consultants, citing that “it is not in my job description to deal with security.” Do you know how many times have we dealt with such situations?
- Where does your IT team’s responsibility end, and where does it start for your information security consultant? Here is an example: your IT team is installing a new critical server. When do they inform your security consultants – before installing it, during installation, or after it starts working in production?
- What is the chain of command? Your information security consultants should never report to your IT department, and here is why. If security reports to IT, your system admins will always evade responsibility by finding excuses. These excuses will always supersede business security requirements. Information Security requirements should come straight from C-level executives. This way, everyone in the company, including IT, will follow them equally.
- Who controls quality in security configuration for all devices? It also boils down to access. Does your information security consultant have access to verify the recommended security controls present and applied as the IT team says? Often IT teams omit following security guidelines and provide false information. More often than you would like to think. Ideally and for your safety, verification should happen with a 3rd party tool. Its information reports should be immutable – meaning neither your IT team nor your consultants should be able to modify its output.
- Who has the final word? Suppose your IT team and your security consultant argue about a point. Should a security control be present, or should it be turned off, because the IT admin says so? Ideally, the final word should be that of your policies and procedures. They should clearly define the security configuration level for network devices, servers, workstations, and applications. In that case, when an IT admin decides to throw a tantrum, refer them to the policy to which they agreed in advance.
- Do you have visibility in everything done every day by all parties? We follow a practice of installing a dashboard for every client, where everyone can see all aspects of every project and everyone working on it.
- Are there KPIs for everyone involved? If one party does not have key performance indicators for security, they will not care about it. As the business owner or executive, you might care because it is your business, but employees generally follow what they must. If their monthly or quarterly performance does not depend on security, they will not do it. On the other hand, if your consultant does not have contractual obligations to bring a certain amount of value in a certain amount of time, they may also slip in their performance. We help our clients by establishing KPI requirements for ourselves and their IT team.
IT security companies should follow all the guidelines above before you can even consider working with them. All of the points mentioned are critical, and missing even one of them could mean wasting your security investment.
Risks when working on information security consulting projects
There are daily operational details that also could make or break your cybersecurity project.
Let us take an average project as an example and break it down. A great one would be an information security assessment. Usually, it takes two weeks. But we cannot just limit the two-week project scope and see it as just that. Multiple pre-sales meetings need executive, IT, and financial resource time. There are also post-project meetings to discuss the output of the assessment. And of course, during the evaluation, you have to assign and dedicate human resources to it from the client-side.
What are the risks to an average-sized information security project?
There are risks for both sides. You as the client risk time and money because you assign people to it, and if the project performs poorly, you lose both the time invested and the money paid. There is also the risk of your IT team, providing false information during the project, which will mean the whole project is tainted. Another danger is that you have a great experience during the assessment, but sweep its results (instead of just a report, we create an entire Information Security Program) under the rug or forget about them. Instead of using what they paid for, many companies prioritize burning issues and postpone working on security. When IT controls security, the above happens more often. If you fix that problem and place security under the executive team, you will have better results.
There are risks for the information security consultancy team, too. What if there is significant resistance on the clients’ side? What if there are political issues they are not aware of which might impact the initiation and completion of the project?
Experienced consulting teams know to ask about these questions, but you, as the client, should be prepared and aware of them.