This article can also be found in the Premium Editorial Download "Information Security magazine: How to tell if you need the help of security integrators and consultants."
Download it now to read this article plus other related content.
Joseph Granneman, CTO/CSO of Rockford Health System in Illinois, taps consultants for penetration tests on his network or on health care applications from vendors that overlooked that security step. He's also had an outside firm perform a HIPAA audit.
|Bait & Switch|
It happens all too often, security pros say. Eager to win business, a consulting firm will send its CEO or founder to meet the potential client and secure the deal. But when the actual work begins, the consultant who shows up is someone different--and sometimes junior-level and inexperienced.
"You may even get new college graduates without any experience. You hear stories like that," says Rhonda MacLean, CEO of consulting firm MacLean Risk Partners and former head of Bank of America's corporate global information security group.
So it's important to know ahead of time who will be assigned to your project.
"If you don't end up with the right person, you might end up with just a mismatch," MacLean says. "I'm a big believer in either knowing, or having interviewed, the people that are actually going to conduct the engagement."
"Using a consultant can be beneficial in security more than in other areas because it gives you that outside perspective and checks and balances," he says.
Third-party verification of security can assure senior managers and others, says Michael Gabriel, CISO at Career Education Corporation, a provider of postsecondary career-oriented education: "There's value to having a certain amount of independence in your security assessments." Consultants and integrators say their experience gives them a broad view of security their clients appreciate.
"There are a lot of things that are often skipped because people are thinking just inside their world," says Aric Perminter, partner at New York-based Secure Technology Integration Group. "A consultant coming in from the outside who's dealt with multiple clients will bring a much broader perspective and think outside the box."
For John Penrod, CISO of The Weather Channel, security VARs can provide valuable technical expertise with newer technologies. He's relied on Atlanta-based Vigilar for help in recommending wireless intrusion prevention products, Web traffic monitoring and other tools.
"One of the things I'm looking for with them is the ability to run interference when I need it, between me and vendors--to work with four or five vendors, help me determine which is the best product and help me to implement it, if I need," he says.
Emerging technology is an area where Paul Klahn, information security officer at an insurance firm, says he'll turn to a VAR for help. However, he'll only work with a reseller if it can provide value beyond what a vendor can, such as support, implementation or consulting.
As for what not to outsource to a security services firm, there aren't hard and fast rules.
"To me, it's not as much a decision on whether to outsource something or not," says Gabriel. "Outsourcing is more of a business decision. It's about what type of controls you set up when do you it. ...[They've] got to be in measure to the value of the information or the level of risk that you're taking when you do outsourcing."
This was first published in June 2007