Five key questions you need to ask before you sign a contract with a Cyber Security consultant.
Before you sign on a Cyber Security consultant we recommend asking the following questions to make sure they are “truly knowledgeable” or whether they are going to use the engagement as a “learning experience.”
1. What are the legal and/or regulatory requirements that my type of business should be concerned with and what background does the consultant have with these laws or regulations?
This lets the business owner know whether the consultant has an understanding of the business and the compliance issues that the business must be concerned with. For example, here are some but definitely not all:
– Sarbanes Oxley for companies that are on the stock market
– Payment Card Industry for companies that take credit cards
– HIPAA for companies that deal with customer or employee Personal Health Information (PHI)
– Gramm-Leach-Bliley for companies that deal with financial debt
– State Data Breach Laws for all companies that have clients and retain customer information
2. Has the consultant done engagements within my business’s industry and if so, describe the customer, the situation and what was done? As a followup, could we contact that customer for a reference?
This lets the business owner know whether the consultant has any concrete experience that matches the business’s needs or the given situation of the business.
3. After explaining the business’s situation, requirements and timeframe, ask the consultant to explain how they would address the business’s need?
This lets the business owner know whether the consultant can think on their feet and address problems quickly and succinctly but with some level of detail. It also lets the business owner know whether the consultant is going to try to baffle me with techno-geek talk (BS) or whether the consultant can explain the situation and the task in plain English (the truly consultative approach).
4. As a bonus question, the Business Owner should ask the consultant for their opinion on whatever the latest Security-related news topics are happening.
There is always something in the news that is security-related and the consultant should have some inside knowledge-based opinions on the topic. Whether it be:
– The credit card breaches at Target, Neiman-Marcus or Marriott
– The lack of Security Testing on the Healthcare.gov site
– The government considering a federal law on Data Breach Notification
– The NSA capturing Cellphone and Internet information on individuals
5. If, at this point, the consultant hasn’t hung up, excused themselves to take an important call or left the meeting altogether, the business owner may want to ask more general questions about the business’s location, the consultant’s location, the weather, etc.
This is to determine whether the consultant is able to have normal conversations, since many security engagements require a lot of conversations
Based in the Philadelphia area, Jeff VanSickel is a seasoned Information Security Professional with over 20 years’ experience in the areas of Information Security, Information Technology, Audit Compliance, Risk and Project Management. Jeff, being a Payment Card Industry (PCI) Qualified Security Assessor (QSA), a certified CISSP and CISM, he is highly knowledgeable about US Federal and State Law (including SOX, HIPAA, GLBA and Breach Law), US Regulations, ISO-27001/2, NIST, and PCI-DSS.