Ways to Assess Cyber Security Consulting Service Providers

Understanding Your Needs

Before you engage with a potential cyber security service provider, it’s important to understand what you need out of them. That means you need to understand both the current state of your network security and your goals.

This understanding can be documented in the form of an IT Risk Assessment. An IT Risk Assessment is a document that:

• Lists your IT assets
• Describes all possible attack vectors
• Evaluates the likelihood that you will suffer from each vector
• Describes the consequences of an attack
• Includes a statement of your future plans to mitigate risk
• Declares your assumption of certain risks

It’s OK and quite common to have not completed a formal Risk Assessment before you contact a cyber security consultant. After all, that’s one of the services they provide. But even an informally documented list of your assets and your concerns about their safety will provide a good starting point.

In addition to technological assets, you should also understand where you need help with administrative tasks related to cyber security. Tracking software updates, access control, user privileges and training is often a full-time job, depending on the size of your operation. These tasks can be turned over to a consultant or you can designate internal personnel to handle them.

One of the most difficult ongoing cyber security efforts is employee training. There are multiple ways to create and conduct in-house training. This has a few benefits. You can customize training to match your specific technology, your industry’s specific challenges and the level of knowledge your staff already has. You also may be able to closely match the known learning styles of your personnel or brand the training to complement your existing training programs.

However, development of in-house cyber security training requires time and access to subject matter experts. Your internal instructional design staff will need time to develop the expertise required to create this specialized training. There is typically commercial off-the-shelf training available for some subjects, but it might not adequately cover your specific needs. If so, you may be looking for some level of help from an outside cyber security consultant that specializes in training.

If you have no idea where you stand on any or all of the above, you can secure the services of a cyber security consultant to conduct a full security audit of your entire company. This will help you find a baseline of all of your needs going forward.

Evaluate Their Team

The personnel associated with a cyber security consultancy should have the ability to understand your specific business needs. They need to have the skills to craft a customized risk assessment, develop your own specific plan, and support your needs through that entire process. They also need to be able to develop a rapport that allows them to express technical processes in a way that everyone can understand.

In many ways, the cyber security consultant will become a part of your team. Your business goals in the cyber security area should become their goals. The team working with you should also have the time and bandwidth to provide ongoing service to whatever level you will need it. This can include annual reviews of your policies and risk as well as regular ongoing analysis of existing and new threats and vulnerabilities.

Of course, determining this before you hire them can be a major challenge. Be sure to ask for evidence of past work and successful projects. Many firms keep case studies on hand that should contain data showing that their work is both comprehensive and valuable. One key indicator can be the longevity of their relationships with major clients. Asking for this type of material will help you make an informed and complete decision when it comes time to choose one provider over another.

Analyze Their Tech

Cyber security service providers tend to operate on one of two business models. They will either provide integration and support services for commercial off-the-shelf solutions or will sell and service their own custom software and hardware solution.

Integrators provide proven solutions that you should be able to research and understand. The value added by these companies is in their customer service, ongoing support and training along with a keen understanding of how you will want to use the service offerings.

Providers of their own technology may have the edge in flexibility and customization. Their solutions may offer a better user experience for you because you are in close contact with the developers. But understanding the quality of their offering may be difficult if you don’t have technical staff on hand to independently examine it.

Monitoring

One of the key services provided by cyber security consultants is the ability to track and monitor security across your IT systems. These services can be either simply installed and configured by your service provider for your internal monitoring or set up and then monitored by them.

A good monitoring service would include:

• Security Incident and Event Monitoring (SIEM):
  This is a set of tools that help detect attacks on your system. SIEM systems record and analyze log data from servers, switches, gateways, firewalls and other components. This data can be used to create alerts and service tickets in the event of a network problem or potential breach.
• Intrusion Detection System (IDS):
  An IDS system will actively monitor your network connection for unauthorized behavior. This can detect both active hacking attempts and malware-driven automated attacks.
• Network Behavior Analysis (NBA):
  By analyzing the data produced by the tools that support your network security, your provider can create a baseline of the normal activity across your network and then alert you when unusual activity occurs.
• Endpoint Detection & Response (EDR):
  EDR systems monitor individual devices that connect to your network. This includes servers, workstations, laptops, printers and internet-of-things devices. You can also monitor company-provided smartphones and tablets. If any device shows unauthorized or suspicious activity, you’ll know about it.

These monitoring tools generally require some form of triage and intervention. This can sometimes be handled by machine learning and artificial intelligence tools, but a cyber security service provider will typically offer manual response and intervention services. All providers should have a robust suite of these tools and offer complete monitoring of your entire infrastructure.

Reporting

Tools that monitor your network and the activity on it are practically useless without a strong reporting framework. Cyber Security Consulting Service Providers should be able to create standard and customized reports to provide you with a snapshot or trends about your network activity.

Realtime dashboards are also commonly provided. They allow you to login to a web portal and view a graphical representation of the health and conditions of your IT systems.

In addition to providing the reports and data visualizations, they should be able to help you interpret them. The provider should also be able to help you use the report history as the foundation for your annual IT risk assessment.

Field Testing

Cyber Security Consulting Service Providers will usually offer some form of penetration testing that will tell you how secure your IT systems are.

Testing of the entry points of your network are fairly standard services. Some providers will also help you test your employees’ response to simulated attacks. This will often include testing their response to fake phishing attacks. Your employees will receive a suspicious-looking email and the provider will track how many people click on it. A full-service provider will track these responses and be able to show how effective your training and awareness programs are.

The final type of testing is social engineering tests. In this kind of tests, an employee of the service provider will visit your facility posing as a repair tech or other “official-looking” person. They will attempt to enter your premises and then exploit your network security by gaining physical access to servers or other devices. This service is somewhat unusual, but it may be the kind of thing your organization needs to ensure your systems stay safe.

Flexibility & Responsiveness

For smaller companies, conditions may be in constant flux. That makes it important to find partners that are flexible and responsive to your needs. Your cyber security provider should be attentive to your changing requirements and able to respond quickly when you add new devices, applications or services. They also should adapt to new threats and vulnerabilities, offering immediate support for patching and closing security holes as they are discovered.

We mentioned it above, but it bears repeating that a cyber security provider is taking the place of an internal team and their personnel should be dedicated to supporting your security efforts as if they were your employees. That includes thinking ahead and helping to adapt your security strategy as often as necessary.

Your cyber security services provider should be proactive in bringing new technology or solutions to your attention while also assuring that you are getting the full benefit of the services you pay for.

Training Support

One of the biggest cyber security challenges is making sure that your employees are fully trained and able to work in support of your data security plan. Cyber security service providers offer a wide range of training offerings, including:

• Prerecorded videos:
  Standard topics such as email security and social engineering may be provided in the form of prerecorded videos. The specific topics and content for these subjects are standard enough that they can be prepared in advance and delivered to many clients. This downside of this form of training is that learners are not able to ask questions and the content won’t be customized to your own environment.
• Online webinars:
  Instructor-led training can be delivered via video conference. This can be customized to fit your specific environment and the needs of your employees. Online training has become more common recently as a means to provide cost-effective learning.
• Instructional design:
  Some providers create training material that you can deliver with your own internal training department. This offers and advantage of having expertly developed training material that’s customized for you but also delivered by someone who knows your staff well.
• Learning Management System (LMS) support:
  A training component should be able to work with your internal LMS. An LMS allows you to track who has taken security training and how well they did in the class. Having access to that kind of information about your staff’s security knowledge is an essential part of many security audits and certifications.

Pricing Structure

Cyber security service providers usually offer annual or monthly contracts. Additional monitoring and services might be added for a specific fee or they might assemble tiers of commonly used services that go together. As with many managed service providers, the smaller firms might be more flexible on their pricing structure while the larger ones might offer steep discounts to their big customers.

Generally, pricing will be determined on a per-user or per-device level. Per-user pricing might only cover a specific number of network nodes, but this type of pricing is flexible and provides known costs as you expand your headcount.

Per-device pricing requires a full inventory and active monitoring of the IT infrastructure but can be useful as an add-on service if your internal IT teams are already handling some of your cyber security needs.

Certifications & Compliance

There is a long alphabet soup of certifications that your Cyber Security provider’s people should have. Certified Information Systems Security Professional (CISSP) is one example. Large manufacturers such as Cisco and cloud platforms such as Amazon Web Services also offer their own certifications dedicated to security. Look for certs that match up with your specific environment.

Your provider will also likely be able to help you qualify and certify your own IT operation to several well-known standards and mandates. Examples of the many types of compliance standards include:

• PCI DSS: For payment cards.
• HIPAA: For healthcare data.
• FISMA: For federal contractors.
• NIST: A well-known general network security standard from the National Institute for Standards and Technology.
• SOC 1, 2 & 3: Standard sets of security requirements for different business purposes.

Your provider should have not just their own certified personnel, but also experience in helping organizations like yours achieve the certifications that are relevant to your industry.

Scalability

Your final focus when choosing a Cyber Security Service Provider should be a firm’s ability to grow and adapt as your business changes. When you need to expand your IT infrastructure, your provider should be able to accommodate that quickly and responsively. The same goes for an increase in your headcount and the need for additional training or certification.

Smaller firms may be flexible and adaptable, but also have trouble increasing their capacity as quickly as you need them to. You will want to discuss and anticipated growth or expansion plans and make sure that your potential partner can support those plans.

Making the selection

As with any business partnership, making the right choice comes down to understanding what they can provide you and how they can support your specific needs. Even though cyber security is a complex and technical field, your potential partners should be able to communicate with you and fully explain their processes and services.