Choosing a security consultancy

There are hundreds if not thousands of “Indian Restaurants” dotted around London. However, we all know that most of these places are not owned or run by Indians at all. You have a large number of Bangladeshi or Pakistani’s owning and managing these establishments. But for convenience there’s an unspoken rule that the owners will advertise their food as “Indian cuisine” and customers will always refer to it as going out for an Indian.

By and large, it is somewhat irrelevant whether you’re eating a genuine Indian meal or not. You just look for one that will fill you up and not burn your insides.

The same traits are displayed when organisations set out to hire an infosec consultancy. There are many consultancy’s out there. Most of them aren’t even really geared towards security which results in the your organisations intestines exploding and an empty wallet.

So, to help you out, here are some things to consider when choosing an infosec consultancy:

Know what you want

First off you need to decide why you actually need an infosec consultancy. Is it because the work can’t be done in-house? Or there are confidentiality issues? Or someone at the golf course just mentioned how their infosec team can sort out all of your problems?

Is it a real infosec company?

Many accountants, auditors, builders, pen-pushers, retired policemen, bankers, dolphin trainers, sperm donors and benefit fraudsters have somehow positioned themselves as infosec experts. But scratch beneath the surface a bit. Is this really a security company? Or another company trying to make some money off the security industry?

What’s their income model

This is a touchy subject for many organisations out there. Does the company actually have an income model based around actually making your company more secure? Or do they simply want you to feel as if you’re more secure by writing huge reports designed simple to keep a regulatory body off your back?

Track record not personalities

Does the consultancy have a track record in delivering the type of security you’re specifically after? Or is it a consultancy solely built around a personality? It’s not to discredit infosec personalities in any way, shape or form. But unless that personality will be delivering the consultancy themselves, it’s highly unlikely that you’ll receive any advice close to the level you’ll be charged for.

Follow fads

Check up on their research. Is the consultancy chasing after virtualisation one year and smart phones the next? Are they always looking over the horizon at the next emerging fancy threat, without having enough time to fix today’s bugs? Do their service offerings change depending upon that weeks press releases?

Keeping it simple

Does the consultancy continually publish all these papers about how to protect yourself from these super-advanced techniques and exploits that very few people can actually develop, and most hackers will NEVER USE. It’s the simple stuff that works now, and will continue to work years into the future. Security need not be complicated.

Understand the limits

You cannot outsource blame. You HAVE to take responsibility for your organisations mistakes. Whether they be IT mistakes, vendor mistakes, even mistakes made by your most trusted employees. These are all security choices. You don’t have to be an expert in security, you just have to make informed decisions to control your organisation.