A projection from MarketsandMarkets suggests that the overall field of cyber security will hit $231.94 billion by 2022, rising at a compound annual growth rate (CAGR) of 11.0% from a 2017 level of $137.85 billion.
We can understand to a large degree why this industry is expanding by looking at why it is being prioritized by businesses. A survey from Fortinet revealed three reasons that cyber security is becoming an increasingly pivotal area of concern:
- More cyber crime and data breaches worldwide: Security breaches occurred at 85% of organizations in the two years prior to the poll, according to respondents. The combined category of ransomware and malware was the most common method of attack, impacting 47% of businesses.
- Greater regulatory concern: The broadening of regulations and need for compliance with them was critical to the growth of security awareness, as indicated by 34% of those polled. Failure to meet the stipulations of regulations, such as the new General Data Protection Regulation (from the European Commission, going into effect May 25), could lead to large fines and tarnish reputations.
- Cloud computing migration: When moving data, applications, and infrastructure to cloud, 74% of those polled said that they were concerned with cloud security.
Question 1: What regulations are important to my organization, and do you have experience specific to these regulations?
By asking this question, you get a sense of whether the security specialist knows about important compliance concerns that must be addressed. For instance, key regulations (beyond the GDPR mentioned above) are:
- Payment Card Industry Data Security Standard (PCI DSS): This regulation is critical for e-commerce or any instance in which payment cards are processed.
- Health Insurance Portability and Accountability Act (HIPAA): This regulation is key when employee or customer health data, called protected health information (PHI), is handled by the company or its clients.
- Sarbanes Oxley Act (SOX): Compliance with SOX is necessary when your organization is publicly traded on the stock market.
- Gramm-Leach-Bliley Act (GLBA): Meeting the guidelines of the GLBA is essential if your organization is in the business of financial debt.
- State laws related to data breaches: These regulations are fundamental if you process or retain any sensitive information of your clients or staff.
Question 2: What is the most prominent security threat to my organization?
Often consultants tend to focus too heavily on technology and will advise the adoption of cookie-cutter security plans, according to DMI chief information security officer Rick Doten. Doten noted that you should be concerned if a consultant suggests that the adoption of certain tools will solve your security woes. Security is instead about mitigating risk, and that means you need to have policies in place that will allow your company to systematically assess weaknesses and consistently maintain strong protections.
Aspect Security co-founder Jeff Williams concurred that risk analysis is central to deciding what security steps you need to take. Williams added that consultants should be able to tell you your worst-case scenario, which he calls the business killer, that you must avoid so that you never are the subject of devastating media attention.
The most common issues that would be in this category described by Williams are theft or destruction of intellectual property; sustained downtime of your systems; or theft of payment data. Since many companies do not know what their most significant risks are, they are unable to properly figure out how to spend their cybersecurity budgets.
Question 3: What are some of the clients the organization has previously helped?
When consumers decide which products or services they want to buy, they will often look at online reviews, allowing them to understand how satisfactory the provider’s solutions are from the perspective of those who have gone before them. Businesses should have the same basic approach. Ask for a list of former and current clients. You can better understand how competent and skilled a security consultancy is by knowing their clients and seeing what they have to say.
Question 4: What steps would the consultant take to better secure your business?
The consultant should be able to tell you, based off of your organization’s timeframe, circumstances, and needs, how they would go about helping you achieve better protection. By point-black asking them what they would do, you will get a sense of how quickly they can problem-solve and line up defenses quickly but with some degree of granularity. You will also get a sense of the consultant’s ability to communicate properly, speaking in language that is easily understood rather than through speech that is filled with jargon.
Question 5: Do you analyze situations from a cost-benefit perspective?
For small businesses, the budget that can be spent on cyber security is often tight. The solutions posed by the expert you choose should be able to meet your requirements without putting undue strain on your coffers. In other words, the advice you get from your independent advisor should guide you in making both financial and technical decisions.
Question 6: Who will actually come to complete the project?
Williams noted that often companies will be annoyed because they sign a contract with a consultant that they have carefully vetted, and then a lower-level associate comes to work on the project.
In these scenarios, the primary consultant will be the initial person you meet. They will figure out with you the breadth of what they are going to do and what they will deliver, giving you a sense of comfort. Once the project begins, an employee who is often inexperienced will be switched out for the expert.
Doten agreed on this issue and actually used to have a name for them: idiots right out of college (IROCs). While the name is a bit disparaging, it describes a real problem he saw in the field: large consultancies often hire people who have just graduated and do not yet have real-world experience.
Question 7: What should my expectations be in terms of communication?
Doten noted that cybersecurity consultants will often not let their clients know how they are moving forward with their analysis until they are finished with the work. He specifically referenced a consulting team that would close themselves away and not convey anything to the client until they were completely finished.
Williams said that type of lack of communication will inevitably lead to a poor outcome. He advised that you can protect yourself from this scenario, in part, by talking about the processes and policies that the expert will be advocating upfront. Have them tell you what they will be delivering at different points along the way. It is also important to understand what your objectives are for the project and the ways that you will gauge your progress in pursuit of that end.
You want to be updated on how well your systems are passing the security testing and the extent to which you are lowering your risk. It is also helpful for a consultant to say specific gains they expect to achieve and for it to be quantifiable so that you can measure the metric at the start and conclusion of the consultation.
Moving forward with your consulting project
The field of cybersecurity is growing rapidly for a variety of reasons, all related to changing business needs. In this climate, security consultation has become increasingly pertinent. Asking the above seven questions of IT security consultants will lead you to better results so that your business is properly protected in an increasingly complex threat landscape. Don’t miss a blog post. Subscribe below.
Editor’s Note: The writer’s opinions expressed in this guest article are those of the contributor, and do not necessarily reflect those of IT Security Central and Teramind Co.