How to Hire the Right IT Security Consultant: 5 Things to Look For
Cyber security is a serious concern for every business. But what if you can’t afford a full-time IT security consultant? Do you know your system vulnerabilities and how to fix them? Do you feel confident your “IT guy” is on top of current security practices and products? When was the last time someone in your office reviewed compliance regulations?
If you’re starting to sweat, that’s a sign that your business isn’t as protected as it should be. It might be time to hire a security consultant. Here are five things to look for in an information security consultant.
Experience in your industry
Many cyber threats and attacks are tailored to individual industries or geographical areas. That means it’s not enough to hire an IT security consultant who’s too general about his or her skills. A cyber security consultant with previous industry experience will be familiar with the unique attacks and threats your business faces.
Ask any consultant or firm you consider to explain prior experience and results. If they can’t do so with clarity, that’s a red flag. A security consultant worth his or her salt can identify common risks, explain solutions, and outline preventive measures—in plain English.
Do some homework on the consultants and firms you’re considering. Review profiles and reviews on company websites and professional networking sites, like LinkedIn. Pay attention to experience and certifications, like CISSP, CISA, and CISM. As is often the case, you’ll likely get the most useful information from current and former clients.
Knowledge of current compliance requirements
Every industry has different legal regulations and compliance policy standards (PCI, CCPA, GDPR, for example) that your business must meet. Besides putting your data at risk, non-compliance with these laws can cost you big.
So how do you know which regulations apply to what kinds of data? The best security consultants will be able to analyze your databases for sensitive information that falls under current and relevant policies. In addition, they should be able to outline a viable plan to help you remain compliant going forward.
Network security assessment know-how
A solid cyber security strategy requires a thorough assessment of the vulnerabilities of your current computer systems, network environment, and data. It shows how effective your organization is at following security best practices, and it gauges how well you’ll be able to prevent or withstand an attack. A good security consultant will use this information to create a plan for remediation. But beware consultants who try to sell you a one-size-fits-all suite of “security tools.” The right plan will be customized to ward off your unique worst-case scenario.
Because your information is vulnerable during the assessment phase, you really need someone who knows what they’re doing. After all, you don’t want to experience a breach right when you’re trying to prevent one. That’s why knowing that the consultant performing the assessment will protect and care for your company’s private information is essential.
First, find out whether the security consultant plans to perform the assessment in-house or contract it out. If the assessments will be performed in-house by your hired security consultant firm, their employees should already be trained on the proper, secure way to handle the assessment phase. If the consultant contracts the security assessment out, be sure you’re familiar and comfortable with the training process of the contracted firm and that they follow security best practices.
Commitment to employee training
A security consultant’s strategy should be designed to recognize and eliminate threats, not simply update a few security flaws. And no strategy is complete without making sure your employees are all on the same page.
Even with the best security tools, like firewalls, software, monitoring, and so on, the most crucial asset in an effective security strategy is your employees. The right security consultant will be committed to training your people on how to prevent threats. And it’s critical to review the basics, like creating strong passwords and watching out for e-mail scams.
A solid action plan
A security consultant vying for your business should be able to present a coherent, articulate plan of action for your specific company’s needs. Their strategy should be straightforward and free of too much jargon or sales-y promotion of any one product.
Be sure to get details about how they’ll communicate with you during the process—from assessment to implementation. Find out what they expect from your company and employees, and whether they’ll be providing ongoing support once a solution is in place. And don’t forget to ask who will be doing the actual work; for example, is it an experienced team or a brand new junior associate?
It may even be a good idea to ask consultants you’re considering about the times they’ve failed, and how they came back from those mistakes. Anything that helps you get a complete picture of who you’re hiring will pay off in the end.