Have you given much thought to how you choose a security consulting firm?
You have no doubt lots of options available to you but beyond the hype and marketing, how do you identify the right organisation to team up with? I have some thoughts to share with you on the right questions to ask which can help you make a great choice to ensure a successful engagement.
Whether you are needing a penetration test done, a security audit complete, a web application security assessment or development of a complete security strategy, the questions you need to consider apply across the board.
By its very nature, finding the right security consulting firm can be challenging given you need to place a great level of trust in the capabilities and integrity of the organisation. As a result, it is critical to know who will actually be doing the work which assists you in understanding their capabilities. In addition, knowing what the actual deliverables will be will ensure you can assess the value they bring to you. Finally, you can actually trust them with your sensitive security information.
Here are some critical questions to ask when considering who will become your preferred firm
1. Who are the individuals who will be completing the work?
All proposals, whether it is a straightforward penetration test or the development of a complete security strategy, should include a list of the individuals who will be working on your project. You need to know what sort of experience they bring to the table and how they add value to the engagement. We have always found that clients see the value when we explicitly list who will be responsible for our engagements and their previous experience with similar projects.
2. What are the deliverables you will receive at the end of the engagement?
Before you make your decision, know what you are going to get at the end of the engagement. And what I mean by know is actually SEE a sample report. If you are getting a penetration test done, ask to see what the final output looks like – will it be suitable for the various stakeholder’s eyes? In particular -
What sort of language is used? Will it be suitable for your technical team or is it better suited for auditors or regulators? What about board members? As you can see here, each one of these audience members have differing needs – some may overlap, others not so. So make sure you know your audience and that the final report will reflect this.
Are the recommendations realistic and take into account your level of risk appetite? Reports written with unrealistic dramatic recommendations are hardly going to be helpful in improving your security posture.
On the flip side, technical audiences need a deeper dive into the specifics to allow them to remediate appropriately. So I think there is a fine balance there and will be determined by the reason for the engagement of the service in the first place. From our experience, we are explicit in our questioning of clients on projects to understand how they plan on using the deliverables so the format of the deliverable is suitable for their purpose. We will always provide one so don’t be shy in asking for one next time you are evaluating a proposal!
3. What are their security practices like?
This question has become particularly poignant with the recent arrest of the self-proclaimed leader of LulzSec in Australia who was actually working for a local security consulting firm working on various government and enterprise accounts. This sent shivers down the collective spines of all the leading security firms – hopefully prompting them to take a closer look at their staff and their backgrounds. Just be sure to check who is privy to your sensitive security information. We have made a point of ensuring our principal security consultants have security clearances to the Highly Protected level under the Australian Government Attorney-General’s Department security classifications.
4. Understand the final price
You were wondering when I was going to get to this, weren’t you? My thoughts on this revolve around value – that is, what are you getting for your money? Are you comparing apples with apples when assessing various proposals? Let’s take an example of a basic penetration test being done on a new web application launch. We all know that a good penetration test involves both manual and automated testing so given different security firms use different tools and techniques, how can you compare on price alone? Well, a good place to start is you need to look at the experience of the person who is doing the test to understand the level of expertise they will employ with the manual side. This goes back to the first point I made about the individuals working on your project – are they bringing expertise which is reflective in the price? Next, look at the automated tools they are using – some are free whilst others are significantly more expensive per engagement but will reflect in the thoroughness of the final deliverables. From here you can reflect on what delivers greater value to you. No matter how you measure value in this instance, ask for a clear list of charges which make up the proposal.
In summary, security firms all differ in their capabilities and finding the right one for you will depend on matching your expectations, the nature of the engagement with a firm that has the capabilities to deliver with the integrity that provides you with peace of mind.
