Undercover
How to Corral Security Consultants
Security consultants can help your business, if you give them clear ground rules before they start
By Anonymous
With that in mind, it's appropriate to hire a security consultant:
- When nobody in the company has the requisite expertise.
- When there may be a legitimate question of conflict of interest. If you were the champion last year of an unpopular security policy change, that change will be hard for you to look at without bias this year.
- When, regardless of expertise or conflicts, nobody has the time to do it.
If you find yourself in one of these situations, here are some things to look into when selecting a security consultant:
- Get recommendations from professional contacts in your industry whom you know and trust. If they were happy with a consultant, chances are good you will be too.
- Require consultants to submit team member résumés with their proposal. You should look for senior team members who have been security practitioners. Since a lot of these people come out of the Defense Department or a police department, look for recent experience in your business sector.
- Call some former clients of the consultant and talk to them about their experience with this company; find out what they liked and disliked about the service they received.
Before any work commences, make sure you get formal nondisclosure agreements signed by each person involved in the security work. Also be sure to schedule a formal meeting where you set mutual ground rules for your work together, and schedule frequent status reports. Make sure you get to see the final draft before it goes to anyone. You should have no surprises at the formal presentation of consultants' findings or with their written reports, and you should be able to anticipate and answer questions from your boss and other higher-ups. This isn't to suggest a whitewash; simply, it's best that your peers and your leadership hear about security problems and solutions from you rather than from the "experts." After all, you hired these people to help you get better, not to make you or your company look bad. Following this advice will enhance your experience with consultants, and ensure you present your company with a useful set of recommendations that improve security without breaking the bank or harming your credibility.
Other stories by Anonymous
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
