Cracking Cybersecurity Consulting

A 12-part series to help organizations vet, negotiate, and contract for what they NEED from cybersecurity consulting projects.

by Violet Sullivan, Esq. CIPP/US for ePlace Solutions, Inc.

1. Lifting the Veil

Cybersecurity consulting services are growing rapidly. This makes sense as cyberattacks and data breaches continue to rise. Existing companies and new start-ups alike are in a rapid race to solve, mitigate, and prevent cybersecurity incidents from occurring in the first place.

Cybersecurity consulting can range from simple one-time cyber risk assessments to fully-managed security services. Consultants can also range in size and scope from a one-person shop or a team of credentialed security experts from one of the “Big Four” in the consulting industry.

No matter where you seek help for your cybersecurity projects, the trouble with these highly technical services is that you usually need someone just as technical on your side of the collaboration to help interpret a project’s results. The services rendered are usually highly technical, and some translation is often necessary to provide senior management and the board of directors with understandable results.

On behalf of ePlace’s cybersecurity consulting practice, I will begin publishing a series of consulting papers to help “lift the veil” on these issues to give organizations a clear view of the cyber projects they are paying for. While some consultants may not wish to openly share various tools of the trade, we at ePlace think clients deserve total transparency within this growing industry of cybersecurity consulting services.

Let us begin with the following questions we receive most often:

How do we pick a reputable cybersecurity consultant?
How do we align on the project scope?
When do you need a second opinion?
How do we properly “vet” the consulting vendor?
How do we negotiate the best price for the project?
How do we protect ourselves throughout the consulting agreement?
How do we protect ourselves from potential security exposure?
Rules of Engagement: How do we control the impact of the consultant?
How do we understand the final deliverable?
How do we take the consulting report and put it to use?
How do we continuously improve our cybersecurity program?

I will review each of these questions in more detail and give you tips for working with your third-party cybersecurity consultant. Since I am a cybersecurity consultant, myself, my goal is to answer all of these questions and more to provide you with an objective overview and resources for those embarking on engaging a cybersecurity consultant.

2. How Do We Pick a Reputable Cybersecurity Consultant?

As we mentioned in the last article, cybersecurity consulting is on the rise because cyberattacks are rapidly increasing.

The threats you hear about in the news may have your organization’s management deciding to set aside resources for security-related projects. C-level executives feel pressure to make sure they can identify cybersecurity risks before a small issue turns into a companywide problem. The pressure is real for good reason: senior leaders can lose their jobs over this. For example, the CEO, CIO, and CISO of Target Corporation were all forced to leave their positions just months following Target’s massive data breach. Other CEOs to leave in the wake of cybersecurity incidents include Sony’s Amy Pascal and Equifax’s Richard Smith.

So, having allocated resources for mitigating cybersecurity issues, how do you go about selecting a firm to help you with your projects?

Do more than Google. Deciding who you are going to partner with on cybersecurity projects is a big decision. Don’t simply rely on search engine optimization to magically reveal to you the best, most qualified people to work with. It is far more important to find a company that best fits the project than to find just any “cybersecurity consulting company” that search results might yield.
Consider your budget. If your budget for cybersecurity consulting services is limited, then you, of course, want to employ someone that gives you the best “bang for your buck.” There’s no reason to pick a “Big Four” consulting company just because those are the only names you recognize. There are plenty of qualified cybersecurity consulting companies, and they range from local service providers to international corporations.
Check with your insurance to see if you have a partner that gives a discount. Many insurers have relationships with consulting partners for negotiated rates.
Ask around. Your industry association or group might have experience with consultants that are a great match for your needs. You might be surprised how many of your business contacts have gone through this same search for a cybersecurity consulting group. Just ask!
Get on the phone. It’s important to meet the actual individuals who will be conducting your cybersecurity services. While you may first encounter business development representatives, ask to speak directly to the people who are going to be working with you on the project. Ensure these professionals are adequately qualified and experienced. Make the effort to research their credentials and understand what they mean.
Ask for references. Surely the organizations you are looking at have worked with at least some companies like yours. Happy customers rarely turn down a request to be a reference, and it’s an added bit of effort that forces the consulting company to think about what examples they want to share. It’s also a great chance to ask references more practical questions, such as:

How long did the project take to complete?
How clear and actionable was the consulting report?
How helpful was the consulting company in remedying the issues found?

Once you have narrowed your choices down to a couple of options, it’s important you set up time to properly scope out the project. You won’t fully know whether each consulting group can fulfill the project until they understand what your requirements are. In my next article, I will explore how to align with your cybersecurity consultant on the scope of the project.

3. How do we align on the project scope?

Once you have started considering cybersecurity consultants, it is important to make sure they can perform the task at hand. After having gone through the budget process, your company is likely most attuned to the need that you are trying to address. You might even need to bring on certain internal subject matter experts to help describe the scope of your requirements.

After working on many projects, it’s clear one of the most important things to do before choosing the right vendor is to make sure you are clear on the project’s focus and parameters.

Solidifying your project scope is best accomplished by understanding the true definition of what you are asking the consultant to do. For example, in consulting, we hear the phrase “penetration test” tossed around by people all the time. Penetration testing is defined by the National Institute of Standards and Technology as “…Security testing in which evaluators attempt to circumvent the security features of a system based on their understanding of the system design and implementation…to identify methods of gaining access to a system…”

This definition exemplifies how a request for true penetration testing is asking for a highly specialized, higher-risk activity. What an organization might instead be looking for is vulnerability scanning or a gap assessment, either of which give you a better idea of where your internal vulnerabilities are (instead of just trying to break into one or two of those vulnerabilities).

Sometimes the initially desired scope of a project is not broad enough to resolve your needs. This is where cybersecurity experts can be very helpful in explaining how certain projects fit into an overall information security program.

The best way to get aligned on the scope of a cybersecurity consulting project is to:

Get on the phone. Trading proposals back and forth isn’t going to narrow down the scope of your project. However, sufficient phone calls can make sure both sides are on the same page for a project’s structure and overall plan.
Be clear on integral definitions. Make sure both sides are “speaking the same language” when it comes to key words and phrases. We often find there can be different definitions of project terms leading to unmet expectations if not communicated in advance.
Explain your goals. One of the first things we ask during a scoping call is, “What is the reason you are doing this project?” Some people want to meet compliance requirements or are required by vendors to complete a project, while others are just doing it as a best practice to enhance their cybersecurity. Each goal might involve a different approach to the project, so it’s important all parties understand the goals and objectives before entering into a project.
Establish a methodology for your risk-mitigating project. Whether this is NIST or something else, understand the methodology behind the project.
Be clear on the scope. The amount of work involved is often defined by the number of physical locations, number of employees, workstations, servers, etc. The more technology an expert must wade through and the more complex your systems, the larger the project scope becomes. You must be clear on these details or else you might face the risk of going over budget when the other party is surprised by your expectations. For example, if you don’t tell them you have five different locations, the project partner may never know to look beyond the one location mentioned in a proposal.
Ask about output. Deliverables are the most important part of the project. The output you receive because of expert testing is the action plan your team needs to move forward. But if you or your team cannot interpret the report, what good was the project? I have seen some consulting companies produce a “heatmap” report that is hard to decipher. You do not want to invest organizational resources in a deliverable lacking clarity and direction. Ensure you are receiving a coherent, actionable report that provides a roadmap for accomplishing your goals.

Once you had a chance to align on the project parameters with your trusted third party, you are almost ready to sign the client agreement and establish a project schedule. But when do you need a second opinion? When do you need to compare other vendors’ proposals for the same project? We will explore this more in our next series article, “When do you need a second opinion?”

4. When do you need a second opinion?

Your first referral vendor might blow you away with their credibility, professionalism, and knowledge of your project’s subject matter. So why not just call them up and begin moving forward? That could work out, but you will have lost out on additional opportunities for value and security that even just a small amount of further due diligence could yield.

Speaking from experience, cybersecurity consultants are used to being compared to one another and are often competing for projects of all sizes. Our company has been asked multiple times for a proposal just to compare to a different proposal already obtained by the prospective client.

Asking for a second or third proposal can be helpful for multiple reasons:

New perspective. After receiving a project outline from one consulting company, it’s a good idea to check their project approach against the methodologies of other competitors. If the competing companies are doing things totally different, then it’s likely the initial company is not as reliably experienced. But even if the differences are reasonable, this gives you more to ask about the technical testing process. Questions such as “Why are you doing it this way?” and “How would you feel about approaching it in this other way?” amplify your position as a prospective client and ensure you get the most comprehensive service available. Plus, comparing companies helps to determine which consulting group has a better understanding of your project’s subject matter. Well-informed cybersecurity consultants will be able to explain their reasons for going about a project in their recommended manner.
Better pricing. Sometimes, but not always, competition among vendors can lead to a better price. Cybersecurity consulting has sometimes been a “race to the bottom,” and comparing projects from multiple sources can help drive down the price of even the most qualified vendors in the business.
Better referral. Check to see if you received a discount for this project from your cyber insurance. Many cyber insurance carriers have certain cybersecurity companies offering a discounted rate for their insureds. Using a referral from your cyber insurer might provide an argument for a lower premium the following policy year. You are, after all, working on becoming a “better risk.”
Different credibility. Every team member of a cyber vendor has a different level of expertise and experience. So, if you have only talked with business development leads, for example, then ask to speak to the people who will be performing the technical work. Request to see the bios, certifications, and backgrounds for the technical project leaders. Certain work should be done by high-level experts, but some things like vulnerability scanning just require the right tools and, therefore, don’t need to be managed by the most expensive experts.
Better industry experience. Cybersecurity consultants often find their niche of industry work, whether it be healthcare, financial services, or another sector. You should ask for referrals from others in your same industry or sector. Experience here can really help get the most out of the project you are considering.

Once you have gathered multiple proposals, you have options to present to your organization’s security committee and/or senior leadership. With multiple potential partners, you are more informed as to the project parameters and have a better idea of the pros and cons of working with either party. The next step might come before you make the choice between vendors, so follow along in our next article: “How do we properly ‘vet’ the consulting vendor?”

5. How do we properly “vet” the consulting vendor?

With multiple vendors to choose from, you have an important job to do. You must ask the difficult questions before accepting a new vendor into your vendor management program. “Vendor management program?” you ask. “Who has time for that?” Well, a vital part of having a secure environment includes making sure you properly screen all vendors having access to your systems and networks. A vendor being hired to assess your cybersecurity should certainly be no exception to this practice.

The questions you ask your vendors should meet a basic security objective for your organization. Don’t just fire off a 100-question vendor questionnaire without aligning it with your security goals.

Here are example questions to help determine if your vendor has the appropriate policies, procedures, and technologies to meet your expectations:

Do you have a plan in place to restore access to data in the event of a business disruption?
Do you test your business continuity and disaster recovery plans on, at least, an annual basis?
Will the anticipated services require your company to collect or handle sensitive business information belonging to our organization or personal information of our organization’s customers, employees, or other stakeholders?
Does your organization have policies and procedures in place to ensure compliance with all applicable laws, regulations, industry standards, and contractual obligations?
Does your company carry insurance coverage with appropriate limits for the anticipated services?
Does your company have a comprehensive, written Information Security Program in place?

The final (and most challenging) question would be to ask whether this company would be open to a third-party audit. While making the inquiry may be beyond the scope of your project, it is still a good question for gauging how transparent the company plans to be with you.

We have dozens of other example questions to ask, but there is no need to list all of them here in this article. You want to be sure to ask the relevant questions of anyone who would be investigating your data or important systems. Such due diligence is proper for any new third party you engage and for any service. You have the right to properly interrogate a vendor before you pay them money to take a deep dive and “look under the hood” of your organization.

When you feel confident you have chosen the right vendor for your project, this is an opportune time to revisit the cost of the project. Look for my next article on negotiating pricing before you sign the dotted line.

6. How do we negotiate the best price for the project?

It’s hard enough to dedicate line items for cybersecurity in your annual budget. A lack of budget resources is the most frequent reason cited for being slow to implement cybersecurity projects.

Once you have secured the resources, though, it is still important to get the best possible value for your consulting project.

As a cybersecurity consultant, I can tell you there are plenty of ways to get better prices during the negotiation process:

Referral channel: Ask if there is a discount for the referral channel. Chances are, someone has referred you to a particular consulting vendor. Ask whether that referral counted for anything and if there is an associated discount.
Package discount: Ask whether there is a package discount if you are buying multiple pieces/phases of a project. Inquire about package pricing because you are coming to one vendor for the entire project instead of splitting it up between various consultants.
Payment upfront: Ask if there is a discount for paying in advance. Most consulting vendors bill clients after a project is complete, but it may provide a meaningful benefit to them to bill at the outset rather than waiting for the end of the project.
Number of consultants: Ask if there are multiple consultants working on the project. Perhaps they have different billable rates, and this may be an opportunity to cut some of the costs by requesting just one consultant or a junior consultant for the monotonous work.
Cyber insurance: Your cyber insurance carrier may pay for part or all of a cyber project. Just consider: a cybersecurity project makes your organization a better risk for the carrier and, thus, more valuable to the cyber insurance company and broker. If you are nearing a renewal period, this could be a good negotiation tactic to get the carrier or broker to pay for part of the bill. We have known plenty of cyber insurance players that paid the client’s bill. NOTE: If you do this, be prepared to share the final report or some proof the project was complete. Cyber insurance carriers/brokers often want transparency if they are paying.
Comparing quotes: This would be the last tactic to use because it is slightly insulting to compare vendors to their face. There could be a lot of reasons why the scoped-out projects were priced differently, and much of it could be because of the expertise involved. But, if all else fails, ask cyber consultants if they can match another price you received elsewhere.

Try one or a combination of these negotiation tactics to see if you can save money for future projects. Cyber consulting is becoming a race to the bottom for pricing, and there are plenty of ways to cut costs. Recall our guiding principles from previous articles:

Have a clear scope of the project goals; and
Pick a reputable consultant.

In the next article will be details about how to protect yourself from liability and security exposures. There are two major ways to protect your organization from the very cybersecurity consultant you choose to entrust with this important work.

7. How do we protect ourselves throughout the consulting agreement?

There are two ways to protect yourself from your vendors:

Through internal controls
Through the contracts themselves

A due diligence process addressing cybersecurity and data privacy concerns but left out of the contracting process will mean you lack proper mechanisms for enforcement and self-protection.

The actual consulting agreement is a vital part of setting up the proper protections for interactions with this new third party. A consulting agreement should include:

Definitions: Define key terms related to the cybersecurity consulting relationship. For example:
- Confidential information
- Personally Identifiable Information (PII)
- Security Incident
- Data Breach
Performance: Consider how the description of a product or service to be delivered by the vendor implicates information security. Also consider your responsibilities as the purchaser, whether stated explicitly or imposed implicitly by the limitations of the vendor’s product or service.
- Third Parties: In considering performance, think about who will produce and perform the services. For example, will anyone other than the vendor (e.g., affiliates, subcontractors, downstream vendors, or suppliers) perform the service? You need to consider what steps will be taken to monitor the roles of third parties. For example, you might review the consultant’s vendor management program or require direct access to the downstream vendor for review and monitoring as well as being identified as a third-party beneficiary of subcontracts.
Confidentiality clause: Make sure the proprietary information being shared stays between your organization and the consultant. Generally, confidential information should be used only as necessary to perform the service, provide the product, and administer the agreement.
Record ownership: Be very clear on ownership of records between parties. What records, data, information, and analytics will the vendor create during the term of the contract and who will own them? Who will have access to those records? Does the vendor intend to make any secondary usage of such data, information, or analytics? Where will those records be located?
Explanation of services rendered: Ensure the scope of the project discussed appears clearly on paper and not just in your verbal agreements.
Incident notification clause: Both parties have a stake in containing incidents and mitigating adverse impacts. There should, however, be an added provision for defining an “incident” and setting the timeline for communication to either party. When and if data is being shared, make sure the notification clause allocates liability for direct costs of the incident when personally identifiable information (PII) is compromised.
Insurance: Consider cyber risk insurance coverage from both the vendor and the purchaser perspectives.
Indemnification: The agreement might include both general indemnification and indemnification for loss of information (like the notification clause but focused on associated costs instead of communication).
Limitation of liability: If the agreement will include limitations of liability, consider carve-outs or separate caps for indemnification of third-party claims. This can be particularly important for claims based on information loss, costs associated with security and data breaches, IP infringement, and remediation costs associated with vulnerabilities and incidents.
Termination: Make sure your agreement details what acts, omissions, or conditions give rise for either party to terminate the consulting agreement. There must be a way out of the contract for either party.

While this is not an exhaustive list of clauses to build into your vendor agreement, it will help you make sure you are protecting yourself from cyber liability.

After you have an agreement in place, you can then focus on the next stage of protection: internal controls. Our next article will explore how to protect your assets with internal monitoring and access controls.

8. How do we protect ourselves from potential security exposure?

Opening your organization’s doors to a cybersecurity consultant can actually create an opportunity for exploitation. Even with the most trusted vendor, cybersecurity projects often mean exposing endpoints or allowing access to your internal networks.

Take a common-sense approach to mitigating potential security exposures from your vendors. Allow them the minimum level of access needed to do their job and continuously monitor their progress.

Here are some internal controls to put in place for the duration of a cybersecurity project:

Restrict the vendor’s access and install checks and balances to maintain this restriction.
Limit access to control the boundaries you have set.
Monitor and audit this prescribed access to ensure its integrity.
Allow stakeholders from impacted systems to help set up appropriate security mechanisms.
DO NOT “set it and forget it.” Security mechanisms put in place to handle the vendor should be regularly and continually reviewed during the duration of the project.

Other tools to consider utilizing are standard security controls, like two-factor authentication, next generation anti-virus software, firewalls, and DNS filtering measures. Remember your cybersecurity consultant is a new user and has been inserted into your environment to check the health of your existing security. Make sure you are using your best controls, auditing, and monitoring to engage with this outside resource.

This being the shortest article of our series, its main point should be taken seriously: make sure ––your technical team is aware of and monitoring the new third party whose access should be limited only to your project’s scope.

9. Rules of Engagement: How do we control the impact of the consultant?

Certain cybersecurity projects can be invasive. For instance, take penetration testing as the most requested example. This form of testing has a goal of actually “penetrating” your network and is, by definition, an “offensive attack” on your environment.

If you are going to pay someone to break into your organization, the best practice is to establish some “ground rules.” So, whether you are doing full penetration testing, vulnerability scanning, or even just a risk assessment, rules of engagement are paramount for success.

You might be thinking, “I just signed a consulting agreement. Why can’t that govern the project parameters?” The short answer is that an agreement is generally not going to address how the project should be conducted. It will also likely not include the detail necessary to engage in the communication and execution protocols specific to the cybersecurity project.

What should be in the rules of engagement for a cybersecurity project?

Roles with contact information: You want to make sure you can get in touch with your cybersecurity contact if anything happens during the project that needs immediate attention.

Communication plan: Your plan should include escalation pathways and communication tools and systems to use/follow.

Engagement overview: This will provide more detail than the original consulting agreement and will include specific parameters for different phases of the project.

Timeline: Any well-managed project will have a schedule and timeline for completion. Get your consultants to stick to a timeline by adding it into the rules of engagement you agree on.

Change in scope management: Include a method to change the scope of the project and the appropriate parties who may make those decisions. Cybersecurity projects often exceed scope, and there must be an easier way to manage that dynamic than simply “going back to the drawing board.”

All cybersecurity projects are unique, but there are many aspects to project management that help to mitigate risks involved in these technical engagements. In addition to protecting your organization, providing clarity and communication with rules of engagement makes for a better working relationship for all involved parties.

Finally, after a project is complete, the last step is to do something with its findings and results. Our closing articles will cover how to understand the final deliverable (client report) and continue to improve your cybersecurity program.

10. How Do We Understand the Final Deliverable?

The initial articles in this series focused on vetting, negotiating, and contracting potential cybersecurity vendors. Once you’ve hired a solid team, let them do what they do best — their work. Of course, the team will likely have questions and need your input as well as access to technology related to the cybersecurity project. Just remember, the purpose of hiring a third party is to utilize their expertise and experience to test, audit, or challenge your company’s processes.

Hopefully, the “rules of engagement” mentioned in previous articles have been implemented to improve the communication and transparency between the teams. The contract itself should also help push this project toward a successful conclusion. As the end of the project nears, your cybersecurity vendor will likely have a final deliverable to help you make changes and fix gaps.

This deliverable has many forms, whether written or presented verbally, but what if the report contains too much technical expertise and cybersecurity jargon? What happens if your company doesn’t have internal personnel capable of interpreting the results? What if you are simply handed a heat map or a collection of graphics with words you can’t clearly comprehend? How do you turn the results into action items for your organization?

Things are made even more complicated with the worry that third-party reports could be discovered and used in future litigation. This was the case for the litigation following Capital One’s 2019 data breach, so cybersecurity vendors are becoming more cautious about the format of their final reports.

I’ve compiled commonsense reminders and tips to make sure the project doesn’t stop when the third party leaves your premises. The next step in “Cracking Cybersecurity Consulting” is to make sure you understand the results, so they can be implemented to improve your overall cybersecurity risk posture.

For the final deliverable:

Schedule a debriefing and Q&A session with the vendor. It’s important to hear the suggested action items from the vendor’s mouth, so you can get clarification regarding suggestions that are new to your team. Verbal sessions are good for cutting through the “fluff” found in reports. Plan to ask, “What are the biggest priorities?” or “What are the most important actions we should take following this project?”
Highlight terms needing to be defined. Depending on the technical level of your internal team, you might need a list of definitions included in the final report. Definitions vary widely in the cyber industry, so get clear on the terminology to ensure your team’s success during implementation.
Focus on the negatives. Many times, consulting reports include negative action items along with positive notes. This isn’t an attempt to hide the action items; it just ends up being part of the process when providing comprehensive information to organizations. Sometimes, the big gaps and improvements aren’t obvious enough, so review the report closely while looking for the big things that need to be addressed.
Ask for more consulting hours. If you truly don’t have a technically savvy team member in-house who can follow up on the provided recommendations, you may need to continue working with the third party until you have remediated any known gaps or areas of improvement.

Of course, none of this applies if you have an incredible internal technical team that can help interpret the results and set everything in motion in your existing infrastructure. In my consulting experience, though, this is rarely the case. There are many different levels of cybersecurity maturity within an organization, and there’s no harm in asking someone to translate, clarify, and provide further help if needed. After all, that might be why you went with a third party in the first place.

My next article will cover how to put a consulting report to use to strengthen your overall cybersecurity posture.

11. How Do We Put the Consulting Report to Use?

Why did you start a cybersecurity project in the first place? What motivated you to set aside time and resources to complete a project with the goal of finding cyber vulnerabilities, strengthening controls, or auditing your organization’s current infrastructure?

The answer (hopefully): to mitigate or address cyber risk.

Organizations undertake cybersecurity consulting projects to secure systems, networks, and the overall technical landscape to reduce potential risk. Just ask your cyber insurance broker. The current state of the cyber market proves that as threats and potential claims increase, it’s getting harder and harder to cover the level of cyber risk companies carry.

In short, you employed a third party for a cybersecurity project specifically because you wanted to get their advice on what to do. At this point in the process, you must follow up on the sage advice.

To act on the final deliverable, remember to:

Assign follow-ups to a project manager. Someone must take ownership of the action items provided by the third party, or they’ll never get implemented. Assigning someone internally to follow up with the deliverable suggestions elevates your cybersecurity posture by fixing gaps instead of just identifying them.
Establish check-in points with your team. This is a project manager’s trick. He or she should establish deadlines, assign action items to team members, and then require them to give progress updates along the way with scheduled “check-in” calls. Doing so prioritizes items instead of letting them fall by the wayside.
Schedule future meetings with the consulting team. There are a couple of reasons to do this:
1. It gives you a tentative deadline to report progress and ask questions.
2. It allows you to ask for more help if needed. Most cyber consulting projects are not just “one and done,” and the vendor you worked with will likely be willing to jump on a call, especially if it means you may use them again in the future.
Brief the board or executive team on the findings and results. By adding in authority to your project, you are now presenting the recommendations to a higher group to hold your team accountable. When your team can convey the recommended cybersecurity improvements, the executive team or board will also see the overall benefits. With their buy-in, your follow-up has even greater meaning, so you’ll be more likely to deliver results.

The number one reason to get your team to ACT on the final deliverable is simple. You paid for the help, so use it.

Remember, from a legal standpoint, when a third party recommends you make improvements and adjustments to better your overall cybersecurity, you should act swiftly and reasonably. Otherwise, there’s a plaintiff’s attorney out there who’s just waiting to point out you were given advice and didn’t act on it. As soon as a cyber incident occurs, class actions can be created to point to your lack of cybersecurity controls. This world of cyber litigation is new, and plaintiff’s attorneys are being very creative in their finger-pointing.

With a project plan in place and an aim to fill the gaps, your team will be working through improvements for the next 6–12 months. It’s a continuous process, so don’t get down if it’s not complete when the third party exits the premises. There’s always work to do, and your team must follow up on the recommendations presented.

In cybersecurity, there will always be new threats, new patches, and new ways to educate users. Continuous improvement is the name of the game, and the final article in the series is devoted to continuously improving your cybersecurity program.

12. How Do We Continuously Improve Our Cybersecurity Program?

After 11 articles in this cyber consulting process series, I’ve covered everything from vetting, contracting, engaging, and following up with your third-party vendors. Now, it’s time for your internal team to learn how to keep moving forward.

Having a single yearly risk assessment for compliance purposes isn’t going to improve your cybersecurity much. Changes come from having a top-down culture of cybersecurity and integrating it into every part of your business.

To continuously improve your cybersecurity program, focus on these big areas:

Employee training: Human error is the biggest cause of cyber incidents. No matter how much money is spent on technical defenses and the latest EDR solution, employees still hold the keys to your most valuable assets with their authentication credentials. The best way to address the human error component is to implement dynamic training and education events centered on the latest threats. Without cyber awareness education, your employees are your greatest risk. Think outside the box when structuring training sessions:
- Have a company pizza party and share examples of recent phishing attempts.
- Send out content in employee newsletters
- Put up posters in the restroom about phishing emails.
Policies and procedures: No matter how focused your organization is on cybersecurity, you must have the rules in writing. When your company issues computers, phones, and other equipment to employees, there must be rules on how to use the equipment and safely control the risk each person has with their organization-owned devices. Spend time with your team and (if needed) outside experts to create an information security policy, access control policy, acceptable use policy, and a cyber incident response plan.
Testing your plans: A plan or procedure is only as good as the paper it’s written on – particularly your Disaster Recovery (DR); Incident Response (IR); and Business Continuity (BC) plans. If you don’t test your plans, then only a few people will know what to do (usually the authors of said plan), and it will likely not go according to the suggested plan outcome. To thoroughly “test” a plan, do yearly tabletop or DR exercises to ensure the plan will work as written. Talk through how the plan works, make sure everyone understands their role and responsibilities, and look for ways to improve. This can be done internally or with an outside facilitator.
Patches and updates: Your operating systems and tools are constantly being updated, so make sure your security team is continuously implementing the latest patches and updates. Make “Patch Tuesday” a new tradition and ensure everyone is following the new patching schedule.
Continual scanning: Vulnerability scanning is everywhere now. Even your cyber insurance companies are using it to determine your level of risk. Keep up to date on potential vulnerabilities and fix them. Hackers always look for the most viable attack tree by initially scanning your system, so get ahead of them and continually run scans to look for open vulnerabilities and critical risk areas.
Future projects: Don’t expect to do everything yourself. The whole reason I wrote a series of articles was to explain how to use outside expertise when needed. Once you’ve completed one big cyber project, consider what is on the horizon and what your next step should be. Third-party cyber projects are a good way to outsource expertise without having to hire an entire security team. There are different types of projects to choose from, and it’s best to prioritize your game plan to address your company’s risk. Start with a risk assessment, dig into more technical projects like scanning and penetration testing, and don’t forget to spend some time on the human issue via onsite employee training or tabletop exercises.

In cybersecurity, your job will never be complete. There will always be improvements to make and projects in the pipeline. But remember, each improvement or adjustment could be the difference between a normal day and a ransomware claim. It’s hard to know what could “save” you from the next big cyber-attack but working to continuously improve your cybersecurity is the only way to know you are making reasonable efforts to protect your business and the data you hold.

PROFESSIONAL SUPPORT & ADVICE

For more information and to discuss the consulting services that are right for your organization, Contact Us or email cyberteam@eplaceinc.com.