Understanding Your Needs
Before you engage with a potential cyber security service provider, it’s important to understand what you need out of them. That means you need to understand both the current state of your network security and your goals.
This understanding can be documented in the form of an IT Risk Assessment. An IT Risk Assessment is a document that:
- Lists your IT assets
- Describes all possible attack vectors
- Evaluates the likelihood that you will suffer from each vector
- Describes the consequences of an attack
- Includes a statement of your future plans to mitigate risk
- Declares your assumption of certain risks
It’s OK and quite common to have not completed a formal Risk Assessment before you contact a cyber security consultant. After all, that’s one of the services they provide. But even an informally documented list of your assets and your concerns about their safety will provide a good starting point.
In addition to technological assets, you should also understand where you need help with administrative tasks related to cyber security. Tracking software updates, access control, user privileges and training is often a full-time job, depending on the size of your operation. These tasks can be turned over to a consultant or you can designate internal personnel to handle them.
One of the most difficult ongoing cyber security efforts is employee training. There are multiple ways to create and conduct in-house training. This has a few benefits. You can customize training to match your specific technology, your industry’s specific challenges and the level of knowledge your staff already has. You also may be able to closely match the known learning styles of your personnel or brand the training to complement your existing training programs.
However, development of in-house cyber security training requires time and access to subject matter experts. Your internal instructional design staff will need time to develop the expertise required to create this specialized training. There is typically commercial off-the-shelf training available for some subjects, but it might not adequately cover your specific needs. If so, you may be looking for some level of help from an outside cyber security consultant that specializes in training.
If you have no idea where you stand on any or all of the above, you can secure the services of a cyber security consultant to conduct a full security audit of your entire company. This will help you find a baseline of all of your needs going forward.