Sometimes organizations need outside help for getting their arms around information security challenges. That’s where security consultants come in. Here are a few tips for making sure that engaging a consultant—often in the form of a consulting company—brings the necessary benefits to justify the expense.
This advice isn’t specific to security consulting, but I present it on the basis of providing security consulting services for a fair bit of time:
- Understand your requirements for security assistance. I’ve encountered many organizations, for example, that request a security assessment, but aren’t sure what type of an assessment they need. Good consultants will help you figure this out, but the more prepared you are, the more in control you will be.
- Reach out to multiple security consultancies, so that you benefit from multiple perspectives on potential approaches to the project and to validate that the price estimates you receive are reasonable. Consider issuing an RFP to attract several qualified companies and to explain your needs.
- Make it personal. Treating the company as a generic entity may be fine from a contract’s perspective. However, establishing rapport with the individuals working on the project will help achieve results not only to the letter of the contract, but also in the spirit of your requirements.
- Assess who will work on the project and what tasks they’ll be assigned to confirm that their expertise matches your needs. Look at their certifications and past project experiences. The consulting company might have a strong brand as a whole, but make sure that it extents to the consultants who will support your endeavor.
- Request a high-level project plan that contains milestones for the expected deliverables. Organizations sometimes focus too much on the desired start date, forgetting to state their end date expectations and to incorporate intermediate check points into the project’s time line.
- Understand the full cost of the project, rather than focusing on the hourly rate. Fixed-fee projects are least likely to have unexpected expenses. Pricing on Time & Material basis is may be necessary when the scope of work is unclear, but could be risky from a budgetary perspective. Also, don’t forget to account for travel expenses.
- Dedicate time to oversight of the project’s delivery. The consulting company should offer such oversight, but you should also keep an eye on the project to make sure it is progressing according to your expectations and original commitments. This will help you identify and correct potential problems early before they escalate into major issues.
If you’d like to share additional tips, either from a security consultant’s or a client’s perspective, please leave a comment.
Updated March 21, 2011