Engaging a third-party assessment expert in conducting a review of a business’ security measures is a cornerstone of good security practice. Among other things, assessments can identify hidden vulnerabilities in a business’ systems and remediate them before they become a problem.
Unfortunately, though, all too often, the monetary costs of such assessments greatly exceed initial budgets. Many first assume that the source of their overrun is an unscrupulous assessment vendor, but the truth of the matter is that very few cost overruns result from such vendors. Rather, in most instances, security vendors are highly reputable and are just trying to do the best for their clients.
So, if unscrupulous security vendors aren’t the usual cause of overruns, what is? The answer is a lack of good old-fashioned project management. While many businesses have strong practices in place for managing general technology projects, those practices can be quickly abandoned when it comes to complex security assessments. The reason for this is twofold: first, many security assessments are done under duress, where the need for an assessment is driven by a looming regulatory deadline or the result of a recent compromise. In those cases, the sense of urgency overrides good project management practices.
Second, security assessments can be overseen by a business’ compliance, privacy, security or legal department, which can lack the necessary experience in managing complex technology projects.
The following are my top seven tips for how businesses can gain better control over security assessments, including improved adherence to agreed-upon budgets:
- Treat security assessment engagements as you would any other complex technology project that is critical to the business’ operations and involves substantial fees.
- Negotiate security assessment agreements with a view to project management:
- Include specific project management procedures.
- Ensure the statement of work clearly describes the specific tasks to be performed by the vendor. Remember: if a task isn’t specified, it will be an additional cost.
- To the maximum extent possible, avoid time and materials projects. These types of engagements can easily turn into a blank check on the customer’s bank account. Fixed fee projects are preferred.
- Vendor staffing of a security assessment may change repeatedly over the course of the project. This constant turnover can lead to increased fees and project delays. Include requirements in the assessment agreement requiring the vendor to exercise all reasonable measures to ensure consistency of its staffing over the entire course of the project. In particular, be wary of vendor project managers that have more than one other active engagement. The project manager is a key element of ensuring project success and if they are working on four or five other engagements, which is not uncommon, they will almost certainly not be able to effectively manage your project.
- If a T&M engagement must be used, the contract should clearly state that the estimated budget is based on the vendor’s best, good-faith assessment of all work needed to complete the assessment. Unfortunately, many estimates are nothing more than the vendor’s “guess” as to the fees required, with no real effort to ensure the estimate is realistic.
- Require monthly (or weekly) reporting from the vendor regarding services rendered, milestones achieved and fees spent.
- Require the vendor to immediately issue an “alert report” in the event they learn of circumstances that may lead to failing to achieve the project budget or timeline.
- Include the right to audit the vendor’s records to confirm the accuracy of fees charged. If the audit identifies a material overcharge (say, more than 10 percent), the cost of the audit should shift to the vendor.
- Assign personnel who have substantial experience managing complex technology projects to oversee the assessment. Consider using individuals who are certified project management professionals (PMPs) or have other similar qualifications evidencing substantial prior experience and expertise in managing projects.
- Conduct due diligence of the vendor’s prior customers. Avoid speaking only to customers on the vendor’s “reference list.” Seek out other customers. In larger engagements, particularly those in which the security assessment services are subject to an RFP process, consider requesting the vendor to disclose customers who have terminated assessment engagements prior to completion in the last two to three years.
- Be cautious of vendors who request frequent change orders or constantly offer “additional services.” These upsells should be avoided unless they are truly useful to the business.
- Avoid “big bang” assessments (i.e., assessments that have too broad of a scope). For example, if a business has 20 departments, it might consider conducting assessment of several departments at a time, as opposed to assessing all 20 from the outset. Doing the assessment in measured steps allows the business to review the vendor’s performance, make changes to the scope of the review and better manage to a defined budget.
- As discussed in prior blog postings, it is critically important that assessment engagements be evaluated by internal or external legal counsel to determine whether the assessment contract should include language designed to protect the assessment and any resulting reports under the attorney-client privilege/work product doctrine. Doing so may protect the results of the assessment from later discovery in litigation. Most security vendors are very aware of the procedures needed to ensure these protections apply and should readily agree to them.
Third-party security assessments are one of the most effective means for businesses to truly understand and identify their vulnerabilities and improve overall protection. Managing those assessments, however, must be done in a reasoned manner to ensure budgets are achieved and the desired results are obtained. By using the tips in this blog post, businesses can mitigate the risks posed by these engagements.
[Disclaimer: The information on this blog or article is provided without any warranty or guarantee, does not provide legal advice to the reader, and does not create an attorney-client relationship with the reader. Any opinions expressed in this blog or article are those only of the author and do not necessarily reflect the views of the author’s law firm or any of the author’s or the law firm’s clients. In some jurisdictions, the contents of this blog or article may be considered Attorney Advertising.]