alphaspirit - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

Should information security assessments be done by consultants?

Information security assessments can be performed by consulting firms, but is that a better option than handling assessments with in-house staff? Expert Mike O. Villegas discusses.

My CIO is in favor of bringing in a large consulting firm to assess our security program following a series of minor security incidents. I'm reluctant to do so because I think it will only serve as a distraction. Should I hold firm, or find a way to work with the consultants, and if so, what's the best way to do so?

Sadly, there are times when a prophet is not accepted in his own country. I've personally experienced it and seen it happen to many a competent professional. Generally, no one knows the IT security environment better than the resident security engineers. However, if you find it difficult to obtain sufficient funding or support from management to implement the solutions needed, you might have to look outside the organization for assistance.

Experience has shown that the key to any successful venture is communications. Keeping management informed of the current state of security is critical. This can be accomplished by having recurring or at least periodic management reports to the executive levels. These reports need to be timely, informative, focused on the risks to the business and easy to understand. If the report is too technical or lengthy its effectiveness will be diminished. Management support is essential so whenever the security program is in question, a professional and competent communication from the security team will realize desired results.

There will be times when outside assistance for an information security assessment will be required. There are many consulting firms who can perform an effective review of the security program. One can look for a brand name or a large security consulting firm, but whatever firm is selected, it needs to understand your overall security program objectives and processes. Admittedly, outside firms are afforded the opportunity to observe good and bad security programs. It will bring a level of insight the resident security group might not have the opportunity to see, but it also doesn't know the business model specific to your enterprise. The business culture plays a great part in this as well.

Look for a firm that has experience performing information security assessments in your industry. Make sure you know who will be performing the assessment and ensure they are actually doing the review. There are times when a consulting firm will sell a project based on the credentials of subject matter experts but bring in other staff members to perform the assessment. Cost is always a factor but weigh that behind talent, process, experience and understanding of your business above all else.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn what you have to do for a successful application security assessment.

This was last published in May 2015

Dig Deeper on Risk assessments, metrics and frameworks

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your organization use third-party consulting firms or in-house staff to conduct security assessments?
We would love to make all the final decisions about security in-house. And we do that, with success, for most of the year. But security being the problem it's become, we've started to bring in an outside consultant. Usually about once a year to review the process.

They found a few problems the first year or two, but the concept of an "annual review" seems to have made everyone much better at keeping things under control....
Mike, interesting article and your correctly state that  "...a consulting firm will sell a project based on the credentials of subject matter experts but bring in other staff members to perform the assessment" and I've seen it happen often with larger firms rather than smaller firms. Due to resource-pool dynamics smaller firms will most likely use the same individuals they listed  in their offer/proposal. Unless they outsource the project to someone else, which is an entirely different topic...
This is a very important point. If you let your internal staff make assessments regarding your security, it's like a wolf watching the hen house. But, if you have outside agencies do this for you, how can you be fully certain they understand your mission, goals and priorities. Benefits are on both sides, but I think oversight is the most important thing you can ensure when conducting security assessments.

Jeff very good point.  How about using a software application as an alternative to consultants? It is lower cost, highly scalable and runs whenever you want? For example Sikernes Risk Management (SRM) software helps organizations improve decision-making, decrease cost and proactively monitor their attack surface. It can handle very large numbers of IT applications, hardware and software, policies and users. Sikernes’ cloud-based approach makes advanced threat and vulnerability analysis actionable and streamlined.