alphaspirit - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

Should information security assessments be done by consultants?

Information security assessments can be performed by consulting firms, but is that a better option than handling assessments with in-house staff? Expert Mike O. Villegas discusses.

My CIO is in favor of bringing in a large consulting firm to assess our security program following a series of minor security incidents. I'm reluctant to do so because I think it will only serve as a distraction. Should I hold firm, or find a way to work with the consultants, and if so, what's the best way to do so?

Sadly, there are times when a prophet is not accepted in his own country. I've personally experienced it and seen it happen to many a competent professional. Generally, no one knows the IT security environment better than the resident security engineers. However, if you find it difficult to obtain sufficient funding or support from management to implement the solutions needed, you might have to look outside the organization for assistance.

Experience has shown that the key to any successful venture is communications. Keeping management informed of the current state of security is critical. This can be accomplished by having recurring or at least periodic management reports to the executive levels. These reports need to be timely, informative, focused on the risks to the business and easy to understand. If the report is too technical or lengthy its effectiveness will be diminished. Management support is essential so whenever the security program is in question, a professional and competent communication from the security team will realize desired results.

There will be times when outside assistance for an information security assessment will be required. There are many consulting firms who can perform an effective review of the security program. One can look for a brand name or a large security consulting firm, but whatever firm is selected, it needs to understand your overall security program objectives and processes. Admittedly, outside firms are afforded the opportunity to observe good and bad security programs. It will bring a level of insight the resident security group might not have the opportunity to see, but it also doesn't know the business model specific to your enterprise. The business culture plays a great part in this as well.

Look for a firm that has experience performing information security assessments in your industry. Make sure you know who will be performing the assessment and ensure they are actually doing the review. There are times when a consulting firm will sell a project based on the credentials of subject matter experts but bring in other staff members to perform the assessment. Cost is always a factor but weigh that behind talent, process, experience and understanding of your business above all else.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn what you have to do for a successful application security assessment.

This was last published in May 2015

Dig Deeper on Risk assessments, metrics and frameworks