Due Diligence
Hiring a firm you haven't worked with can be unnerving, but security managers rely on various measures to vet prospective security consultants and avoid getting burned.
"With penetration tests, you have to be careful about the kind of firm you look at. Lots of people think they can do that type of work," says Rockford's Granneman. "It's the more glamorous portion of security--hack for a living."
One firm he tapped a few years ago simply ran a report off the widely used Nessus vulnerability scanner. But he's heard horror stories of organizations hiring pen testers who stole information or set up Trojans. Or, consultants and vendors will take vulnerability reports straight to management and claim the security group isn't doing a good job.
Integrity is the key characteristic Granneman looks for in a consultant, and he prefers to use ones that he's met personally and gotten to know. Starting a new consultant with a small project is another tactic he's used. Initially a little leery about a small consulting firm, he started it off on a small job--scanning one Web site--before allowing it to do a full network pen test.
Jeff Pentz, associate IT director of University Health Center at the University of Georgia, typically relies on recommendations from colleagues, and he's had good luck with the security firms he's used for vulnerability assessments and product advice.
"The ones that scare me the most are cold calls," Pentz says. "They say they're in security and they'll make you this deal on scanning your environment."
Like Granneman, he's heard stories of pen testers gone bad, so he's very cautious in hiring security firms. He
feels more confident if a company has federal security clearances: "If they have that, you can be pretty certain they're not sharing information with anyone."
Interval's Hamidi also treads carefully before hiring a consultant, starting with references; candidates must have strong references relevant to the work at hand. Then there's the RFP and statement of work to spell out what needs to be done, plus a non-disclosure agreement, even for initial conversations with a potential consultant. Contracts come with detailed service-level agreements. Consultants also must sign a one-page document agreeing to abide by Interval's information security policies.
Once Interval does hire a security consultant or VAR, it assigns a "mentor" to monitor the person and make sure he or she only has access to what is needed for the job. If consultants need access to another department or building on the Interval campus, the mentor shadows them to the other location.
"It's not an exact science, but I think we are doing the best we can do, not only in the selection process but also in ensuring that once they come on board, that we take every precaution to ensure that we're covered from a security perspective," Hamidi says.
References and talking to peers are critical when looking for a security consultant or evaluating small firms, MacLean says: "Reputations spread pretty quickly. ...For such a large industry, it really is small."
