Cracking Cybersecurity Consulting
A 12-part series to help organizations vet, negotiate, and contract for what they NEED from cybersecurity consulting projects.
by Violet Sullivan, Esq. CIPP/US for ePlace Solutions, Inc.
by Violet Sullivan, Esq. CIPP/US for ePlace Solutions, Inc.
Cybersecurity consulting services are growing rapidly. This makes sense as cyberattacks and data breaches continue to rise. Existing companies and new start-ups alike are in a rapid race to solve, mitigate, and prevent cybersecurity incidents from occurring in the first place.
Cybersecurity consulting can range from simple one-time cyber risk assessments to fully-managed security services. Consultants can also range in size and scope from a one-person shop or a team of credentialed security experts from one of the “Big Four” in the consulting industry.
No matter where you seek help for your cybersecurity projects, the trouble with these highly technical services is that you usually need someone just as technical on your side of the collaboration to help interpret a project’s results. The services rendered are usually highly technical, and some translation is often necessary to provide senior management and the board of directors with understandable results.
On behalf of ePlace’s cybersecurity consulting practice, I will begin publishing a series of consulting papers to help “lift the veil” on these issues to give organizations a clear view of the cyber projects they are paying for. While some consultants may not wish to openly share various tools of the trade, we at ePlace think clients deserve total transparency within this growing industry of cybersecurity consulting services.
Let us begin with the following questions we receive most often:
I will review each of these questions in more detail and give you tips for working with your third-party cybersecurity consultant. Since I am a cybersecurity consultant, myself, my goal is to answer all of these questions and more to provide you with an objective overview and resources for those embarking on engaging a cybersecurity consultant.
As we mentioned in the last article, cybersecurity consulting is on the rise because cyberattacks are rapidly increasing.
The threats you hear about in the news may have your organization’s management deciding to set aside resources for security-related projects. C-level executives feel pressure to make sure they can identify cybersecurity risks before a small issue turns into a companywide problem. The pressure is real for good reason: senior leaders can lose their jobs over this. For example, the CEO, CIO, and CISO of Target Corporation were all forced to leave their positions just months following Target’s massive data breach. Other CEOs to leave in the wake of cybersecurity incidents include Sony’s Amy Pascal and Equifax’s Richard Smith.
So, having allocated resources for mitigating cybersecurity issues, how do you go about selecting a firm to help you with your projects?
Once you have narrowed your choices down to a couple of options, it’s important you set up time to properly scope out the project. You won’t fully know whether each consulting group can fulfill the project until they understand what your requirements are. In my next article, I will explore how to align with your cybersecurity consultant on the scope of the project.
Once you have started considering cybersecurity consultants, it is important to make sure they can perform the task at hand. After having gone through the budget process, your company is likely most attuned to the need that you are trying to address. You might even need to bring on certain internal subject matter experts to help describe the scope of your requirements.
After working on many projects, it’s clear one of the most important things to do before choosing the right vendor is to make sure you are clear on the project’s focus and parameters.
Solidifying your project scope is best accomplished by understanding the true definition of what you are asking the consultant to do. For example, in consulting, we hear the phrase “penetration test” tossed around by people all the time. Penetration testing is defined by the National Institute of Standards and Technology as “…Security testing in which evaluators attempt to circumvent the security features of a system based on their understanding of the system design and implementation…to identify methods of gaining access to a system…”
This definition exemplifies how a request for true penetration testing is asking for a highly specialized, higher-risk activity. What an organization might instead be looking for is vulnerability scanning or a gap assessment, either of which give you a better idea of where your internal vulnerabilities are (instead of just trying to break into one or two of those vulnerabilities).
Sometimes the initially desired scope of a project is not broad enough to resolve your needs. This is where cybersecurity experts can be very helpful in explaining how certain projects fit into an overall information security program.
The best way to get aligned on the scope of a cybersecurity consulting project is to:
Once you had a chance to align on the project parameters with your trusted third party, you are almost ready to sign the client agreement and establish a project schedule. But when do you need a second opinion? When do you need to compare other vendors’ proposals for the same project? We will explore this more in our next series article, “When do you need a second opinion?”
Your first referral vendor might blow you away with their credibility, professionalism, and knowledge of your project’s subject matter. So why not just call them up and begin moving forward? That could work out, but you will have lost out on additional opportunities for value and security that even just a small amount of further due diligence could yield.
Speaking from experience, cybersecurity consultants are used to being compared to one another and are often competing for projects of all sizes. Our company has been asked multiple times for a proposal just to compare to a different proposal already obtained by the prospective client.
Asking for a second or third proposal can be helpful for multiple reasons:
Once you have gathered multiple proposals, you have options to present to your organization’s security committee and/or senior leadership. With multiple potential partners, you are more informed as to the project parameters and have a better idea of the pros and cons of working with either party. The next step might come before you make the choice between vendors, so follow along in our next article: “How do we properly ‘vet’ the consulting vendor?”
With multiple vendors to choose from, you have an important job to do. You must ask the difficult questions before accepting a new vendor into your vendor management program. “Vendor management program?” you ask. “Who has time for that?” Well, a vital part of having a secure environment includes making sure you properly screen all vendors having access to your systems and networks. A vendor being hired to assess your cybersecurity should certainly be no exception to this practice.
The questions you ask your vendors should meet a basic security objective for your organization. Don’t just fire off a 100-question vendor questionnaire without aligning it with your security goals.
Here are example questions to help determine if your vendor has the appropriate policies, procedures, and technologies to meet your expectations:
The final (and most challenging) question would be to ask whether this company would be open to a third-party audit. While making the inquiry may be beyond the scope of your project, it is still a good question for gauging how transparent the company plans to be with you.
We have dozens of other example questions to ask, but there is no need to list all of them here in this article. You want to be sure to ask the relevant questions of anyone who would be investigating your data or important systems. Such due diligence is proper for any new third party you engage and for any service. You have the right to properly interrogate a vendor before you pay them money to take a deep dive and “look under the hood” of your organization.
When you feel confident you have chosen the right vendor for your project, this is an opportune time to revisit the cost of the project. Look for my next article on negotiating pricing before you sign the dotted line.
It’s hard enough to dedicate line items for cybersecurity in your annual budget. A lack of budget resources is the most frequent reason cited for being slow to implement cybersecurity projects.
Once you have secured the resources, though, it is still important to get the best possible value for your consulting project.
As a cybersecurity consultant, I can tell you there are plenty of ways to get better prices during the negotiation process:
Try one or a combination of these negotiation tactics to see if you can save money for future projects. Cyber consulting is becoming a race to the bottom for pricing, and there are plenty of ways to cut costs. Recall our guiding principles from previous articles:
In the next article will be details about how to protect yourself from liability and security exposures. There are two major ways to protect your organization from the very cybersecurity consultant you choose to entrust with this important work.
There are two ways to protect yourself from your vendors:
A due diligence process addressing cybersecurity and data privacy concerns but left out of the contracting process will mean you lack proper mechanisms for enforcement and self-protection.
The actual consulting agreement is a vital part of setting up the proper protections for interactions with this new third party. A consulting agreement should include:
While this is not an exhaustive list of clauses to build into your vendor agreement, it will help you make sure you are protecting yourself from cyber liability.
After you have an agreement in place, you can then focus on the next stage of protection: internal controls. Our next article will explore how to protect your assets with internal monitoring and access controls.
Opening your organization’s doors to a cybersecurity consultant can actually create an opportunity for exploitation. Even with the most trusted vendor, cybersecurity projects often mean exposing endpoints or allowing access to your internal networks.
Take a common-sense approach to mitigating potential security exposures from your vendors. Allow them the minimum level of access needed to do their job and continuously monitor their progress.
Here are some internal controls to put in place for the duration of a cybersecurity project:
Other tools to consider utilizing are standard security controls, like two-factor authentication, next generation anti-virus software, firewalls, and DNS filtering measures. Remember your cybersecurity consultant is a new user and has been inserted into your environment to check the health of your existing security. Make sure you are using your best controls, auditing, and monitoring to engage with this outside resource.
This being the shortest article of our series, its main point should be taken seriously: make sure ––your technical team is aware of and monitoring the new third party whose access should be limited only to your project’s scope.
Certain cybersecurity projects can be invasive. For instance, take penetration testing as the most requested example. This form of testing has a goal of actually “penetrating” your network and is, by definition, an “offensive attack” on your environment.
If you are going to pay someone to break into your organization, the best practice is to establish some “ground rules.” So, whether you are doing full penetration testing, vulnerability scanning, or even just a risk assessment, rules of engagement are paramount for success.
You might be thinking, “I just signed a consulting agreement. Why can’t that govern the project parameters?” The short answer is that an agreement is generally not going to address how the project should be conducted. It will also likely not include the detail necessary to engage in the communication and execution protocols specific to the cybersecurity project.
What should be in the rules of engagement for a cybersecurity project?
All cybersecurity projects are unique, but there are many aspects to project management that help to mitigate risks involved in these technical engagements. In addition to protecting your organization, providing clarity and communication with rules of engagement makes for a better working relationship for all involved parties.
Finally, after a project is complete, the last step is to do something with its findings and results. Our closing articles will cover how to understand the final deliverable (client report) and continue to improve your cybersecurity program.
The initial articles in this series focused on vetting, negotiating, and contracting potential cybersecurity vendors. Once you’ve hired a solid team, let them do what they do best — their work. Of course, the team will likely have questions and need your input as well as access to technology related to the cybersecurity project. Just remember, the purpose of hiring a third party is to utilize their expertise and experience to test, audit, or challenge your company’s processes.
Hopefully, the “rules of engagement” mentioned in previous articles have been implemented to improve the communication and transparency between the teams. The contract itself should also help push this project toward a successful conclusion. As the end of the project nears, your cybersecurity vendor will likely have a final deliverable to help you make changes and fix gaps.
This deliverable has many forms, whether written or presented verbally, but what if the report contains too much technical expertise and cybersecurity jargon? What happens if your company doesn’t have internal personnel capable of interpreting the results? What if you are simply handed a heat map or a collection of graphics with words you can’t clearly comprehend? How do you turn the results into action items for your organization?
Things are made even more complicated with the worry that third-party reports could be discovered and used in future litigation. This was the case for the litigation following Capital One’s 2019 data breach, so cybersecurity vendors are becoming more cautious about the format of their final reports.
I’ve compiled commonsense reminders and tips to make sure the project doesn’t stop when the third party leaves your premises. The next step in “Cracking Cybersecurity Consulting” is to make sure you understand the results, so they can be implemented to improve your overall cybersecurity risk posture.
For the final deliverable:
Of course, none of this applies if you have an incredible internal technical team that can help interpret the results and set everything in motion in your existing infrastructure. In my consulting experience, though, this is rarely the case. There are many different levels of cybersecurity maturity within an organization, and there’s no harm in asking someone to translate, clarify, and provide further help if needed. After all, that might be why you went with a third party in the first place.
My next article will cover how to put a consulting report to use to strengthen your overall cybersecurity posture.
Why did you start a cybersecurity project in the first place? What motivated you to set aside time and resources to complete a project with the goal of finding cyber vulnerabilities, strengthening controls, or auditing your organization’s current infrastructure?
The answer (hopefully): to mitigate or address cyber risk.
Organizations undertake cybersecurity consulting projects to secure systems, networks, and the overall technical landscape to reduce potential risk. Just ask your cyber insurance broker. The current state of the cyber market proves that as threats and potential claims increase, it’s getting harder and harder to cover the level of cyber risk companies carry.
In short, you employed a third party for a cybersecurity project specifically because you wanted to get their advice on what to do. At this point in the process, you must follow up on the sage advice.
To act on the final deliverable, remember to:
The number one reason to get your team to ACT on the final deliverable is simple. You paid for the help, so use it.
Remember, from a legal standpoint, when a third party recommends you make improvements and adjustments to better your overall cybersecurity, you should act swiftly and reasonably. Otherwise, there’s a plaintiff’s attorney out there who’s just waiting to point out you were given advice and didn’t act on it. As soon as a cyber incident occurs, class actions can be created to point to your lack of cybersecurity controls. This world of cyber litigation is new, and plaintiff’s attorneys are being very creative in their finger-pointing.
With a project plan in place and an aim to fill the gaps, your team will be working through improvements for the next 6–12 months. It’s a continuous process, so don’t get down if it’s not complete when the third party exits the premises. There’s always work to do, and your team must follow up on the recommendations presented.
In cybersecurity, there will always be new threats, new patches, and new ways to educate users. Continuous improvement is the name of the game, and the final article in the series is devoted to continuously improving your cybersecurity program.
After 11 articles in this cyber consulting process series, I’ve covered everything from vetting, contracting, engaging, and following up with your third-party vendors. Now, it’s time for your internal team to learn how to keep moving forward.
Having a single yearly risk assessment for compliance purposes isn’t going to improve your cybersecurity much. Changes come from having a top-down culture of cybersecurity and integrating it into every part of your business.
To continuously improve your cybersecurity program, focus on these big areas:
In cybersecurity, your job will never be complete. There will always be improvements to make and projects in the pipeline. But remember, each improvement or adjustment could be the difference between a normal day and a ransomware claim. It’s hard to know what could “save” you from the next big cyber-attack but working to continuously improve your cybersecurity is the only way to know you are making reasonable efforts to protect your business and the data you hold.
For more information and to discuss the consulting services that are right for your organization, Contact Us or email email@example.com.
410 W. Fallbrook Ave, STE 105
Fresno, CA 93711
2035 Corte Del Nogal, STE 100
Carlsbad, CA 92011