This article can also be found in the Premium Editorial Download "Information Security magazine: How to tell if you need the help of security integrators and consultants."
Download it now to read this article plus other related content.
The Right Fit
If you've decided you want outside help, figure out exactly what you want to accomplish before you begin your search, says Rhonda MacLean, CEO of consulting firm MacLean Risk Partners and former head of Bank of America's corporate global information security group. Then you can figure out which services best fit your needs and what type of firm might best provide them.
How do you know if you're getting a good price, let alone not getting gouged by a security consultant or VAR?
Pricing can be tricky since services like security audits aren't standardized, but Joseph Granneman, CTO/CSO of Illinois-based Rockford Health System, says he rotates security consultants to make sure "the pricing is consistent on comparable services."
If you prefer to stick with one VAR, it's good every so often to get a quote from another security VAR, says John Penrod, CISO at The Weather Channel. For simplicity's sake, he renews most of his vendor support contracts through Vigilar, but will do a price check occasionally to ensure no mistakes are made. "You want to make sure the prices they give you are competitive and not based on a really good friendship," he says.
Paul Klahn, information security officer at an insurance firm, and someone who previously worked for a security services firm, says scope was a problem when it came to pricing on consulting projects. What one company may call a vulnerability assessment, another may call a penetration test and a third may call a risk assessment.
"We would quote work against other companies, but prices would be wildly different," he says.
Other variables that can affect pricing include whether work is charged on a project or hourly basis. "Some engagements are better one or the other," Klahn says. For example, a product implementation like a firewall or IDS makes for a good project-based engagement because the scope is clear and can be well-defined. On the other hand, a PCI assessment--where the scope is built on different phases including discovery and remediation--might be better suited to hourly pricing, he says.
Also, hiring a company that isn't local will mean travel costs, which can add up, Klahn adds.
For example, an organization doing a SOX review might want to go with one of the large, well-known firms. "If you're getting ready to [go] in front of the audit committee or board of directors, they may be looking for a certain type of firm," she says. Other types of projects, such as a penetration test, might be a good job for a boutique firm that specializes in certain areas.
Sasan Hamidi, CISO at global vacation exchange network operator Interval International, prefers to work with large, reputable firms for security services even if they are a tad more expensive, but goes to small boutiques for help with niche technologies. If there are liability issues as a result of the work done by a consultant or VAR, resolving them can be easier with a large firm compared to a boutique.
"But there are certain cases where we wouldn't have a choice. We'd need a smaller consulting firm because of their expertise," he says.
According to IDC analyst Allan Carey, big names such as IBM, EDS, Deloitte and PricewaterhouseCoopers are leading providers of security services.
Jose Granado, principal in Ernst & Young's security and technology solutions practice, says the benefit his firm offers is the "ability to bridge the gap between technical findings and business risk"--a skill he found lacking among consultants who pitched their services when he worked as a CIO at Stanford Financial Group.
For clients with large-scale projects in multiple locations, large consultants can provide the necessary scalability. Granado says clients still get plenty of attention, but smaller security providers say customers lose the personal touch with large firms.
"The bigger [the firm] the less handholding you'll get," says Robert Koran, vice president of MARK Enterprises, a small VAR in the Los Angeles area that specializes in Check Point Software Technologies implementations and upgrades. "I'm able to give a lot of personal attention to my customers."
Lou Rubbo, CEO of DirSec, a regional VAR based in Colorado that also does a lot of Check Point work in addition to Vericept and other technologies, says an organization should always look first at what it wants to get done rather than choosing a security firm by its size. In IT security, there is a lot of specialization, and many consultants specialize in firewall, single sign-on and other work, he adds.
Other firms specialize in specific verticals such as financial services or health care, offering consulting services tuned to particular regulatory concerns.
But with ebb and flow in the security services market as some firms merge and lots of one- and two-person firms pop up, it's important to look for a track record, says Michael Halperin, vice president of technology at Akibia, an IT infrastructure services firm specializing in security.
"You want a company that you can kick the tires and say, 'This is an organization that's been around a while and will continue to be around,' " he says.
This was first published in June 2007