Published: 04 Jun 2007
Organizations are looking for security help, and integrators and consultants are often their first stop.
With an aging firewall starting to cause network performance problems and under pressure to get it fixed fast, David Robinson was in dire straits. He needed some additional expertise, and decided to hire a local security services firm he'd heard about from colleagues in a CIO group.
"We were taking apart the heart of our architecture," says Robinson, CIO at Lockton Companies, a Kansas City, Mo.-based insurance broker. "It had to be done right, it had to be done quickly and it had to be secure."
He kept a close eye on the new consultants, but it didn't take long to know he'd found the right firm for the job. The FishNet Security professionals offered several options for replacing the firewall. They didn't bully or berate, but instead cooperated with his security staff and complemented them. Despite the complexity of the project, the new firewall was installed, tested and operational in three weeks, within budget.
"They also helped us simplify our overall architecture so we could manage it better going forward," Robinson says. "I got the expertise, a great design, and I got it done in the time frame my company was expecting."
Whether it's to tap expertise for a firewall overhaul or to get help with an emerging technology or compliance, many organizations turn to security consultants or security- focused value-added resellers (VARs). In fact, companies looking for security help have a lot of choices, from large consulting firms to small boutiques. In an age of regulatory requirements and growing cyberthreats, the security services market has thrived.
Market research firm IDC estimates the worldwide security services market to be worth $20.3 billion this year, up from $17.2 billion in 2006. In the U.S., the market is expected to jump from about $7.4 billion in 2005 to nearly $17.8 billion by 2010. In addition to regulatory compliance, companies are increasingly looking for help with risk management, creating demand for services such as enterprise risk assessments, incident response preparedness and business continuity planning, according to IDC.
But finding a VAR or consultant to entrust with some of your organization's innermost secrets can be daunting. Hiring the right one requires weighing your needs, performing due diligence and watching for warning signs that a firm may not have your best interest in mind. After all, security is highly sensitive business. Done incorrectly, it "could really make for a bad day," Robinson says.
Joseph Granneman, CTO/CSO of Rockford Health System in Illinois, taps consultants for penetration tests on his network or on health care applications from vendors that overlooked that security step. He's also had an outside firm perform a HIPAA audit.
|Bait & Switch|
It happens all too often, security pros say. Eager to win business, a consulting firm will send its CEO or founder to meet the potential client and secure the deal. But when the actual work begins, the consultant who shows up is someone different--and sometimes junior-level and inexperienced.
"You may even get new college graduates without any experience. You hear stories like that," says Rhonda MacLean, CEO of consulting firm MacLean Risk Partners and former head of Bank of America's corporate global information security group.
So it's important to know ahead of time who will be assigned to your project.
"If you don't end up with the right person, you might end up with just a mismatch," MacLean says. "I'm a big believer in either knowing, or having interviewed, the people that are actually going to conduct the engagement."
"Using a consultant can be beneficial in security more than in other areas because it gives you that outside perspective and checks and balances," he says.
Third-party verification of security can assure senior managers and others, says Michael Gabriel, CISO at Career Education Corporation, a provider of postsecondary career-oriented education: "There's value to having a certain amount of independence in your security assessments." Consultants and integrators say their experience gives them a broad view of security their clients appreciate.
"There are a lot of things that are often skipped because people are thinking just inside their world," says Aric Perminter, partner at New York-based Secure Technology Integration Group. "A consultant coming in from the outside who's dealt with multiple clients will bring a much broader perspective and think outside the box."
For John Penrod, CISO of The Weather Channel, security VARs can provide valuable technical expertise with newer technologies. He's relied on Atlanta-based Vigilar for help in recommending wireless intrusion prevention products, Web traffic monitoring and other tools.
"One of the things I'm looking for with them is the ability to run interference when I need it, between me and vendors--to work with four or five vendors, help me determine which is the best product and help me to implement it, if I need," he says.
Emerging technology is an area where Paul Klahn, information security officer at an insurance firm, says he'll turn to a VAR for help. However, he'll only work with a reseller if it can provide value beyond what a vendor can, such as support, implementation or consulting.
As for what not to outsource to a security services firm, there aren't hard and fast rules.
"To me, it's not as much a decision on whether to outsource something or not," says Gabriel. "Outsourcing is more of a business decision. It's about what type of controls you set up when do you it. ...[They've] got to be in measure to the value of the information or the level of risk that you're taking when you do outsourcing."
The Right Fit
If you've decided you want outside help, figure out exactly what you want to accomplish before you begin your search, says Rhonda MacLean, CEO of consulting firm MacLean Risk Partners and former head of Bank of America's corporate global information security group. Then you can figure out which services best fit your needs and what type of firm might best provide them.
How do you know if you're getting a good price, let alone not getting gouged by a security consultant or VAR?
Pricing can be tricky since services like security audits aren't standardized, but Joseph Granneman, CTO/CSO of Illinois-based Rockford Health System, says he rotates security consultants to make sure "the pricing is consistent on comparable services."
If you prefer to stick with one VAR, it's good every so often to get a quote from another security VAR, says John Penrod, CISO at The Weather Channel. For simplicity's sake, he renews most of his vendor support contracts through Vigilar, but will do a price check occasionally to ensure no mistakes are made. "You want to make sure the prices they give you are competitive and not based on a really good friendship," he says.
Paul Klahn, information security officer at an insurance firm, and someone who previously worked for a security services firm, says scope was a problem when it came to pricing on consulting projects. What one company may call a vulnerability assessment, another may call a penetration test and a third may call a risk assessment.
"We would quote work against other companies, but prices would be wildly different," he says.
Other variables that can affect pricing include whether work is charged on a project or hourly basis. "Some engagements are better one or the other," Klahn says. For example, a product implementation like a firewall or IDS makes for a good project-based engagement because the scope is clear and can be well-defined. On the other hand, a PCI assessment--where the scope is built on different phases including discovery and remediation--might be better suited to hourly pricing, he says.
Also, hiring a company that isn't local will mean travel costs, which can add up, Klahn adds.
For example, an organization doing a SOX review might want to go with one of the large, well-known firms. "If you're getting ready to [go] in front of the audit committee or board of directors, they may be looking for a certain type of firm," she says. Other types of projects, such as a penetration test, might be a good job for a boutique firm that specializes in certain areas.
Sasan Hamidi, CISO at global vacation exchange network operator Interval International, prefers to work with large, reputable firms for security services even if they are a tad more expensive, but goes to small boutiques for help with niche technologies. If there are liability issues as a result of the work done by a consultant or VAR, resolving them can be easier with a large firm compared to a boutique.
"But there are certain cases where we wouldn't have a choice. We'd need a smaller consulting firm because of their expertise," he says.
According to IDC analyst Allan Carey, big names such as IBM, EDS, Deloitte and PricewaterhouseCoopers are leading providers of security services.
Jose Granado, principal in Ernst & Young's security and technology solutions practice, says the benefit his firm offers is the "ability to bridge the gap between technical findings and business risk"--a skill he found lacking among consultants who pitched their services when he worked as a CIO at Stanford Financial Group.
For clients with large-scale projects in multiple locations, large consultants can provide the necessary scalability. Granado says clients still get plenty of attention, but smaller security providers say customers lose the personal touch with large firms.
"The bigger [the firm] the less handholding you'll get," says Robert Koran, vice president of MARK Enterprises, a small VAR in the Los Angeles area that specializes in Check Point Software Technologies implementations and upgrades. "I'm able to give a lot of personal attention to my customers."
Lou Rubbo, CEO of DirSec, a regional VAR based in Colorado that also does a lot of Check Point work in addition to Vericept and other technologies, says an organization should always look first at what it wants to get done rather than choosing a security firm by its size. In IT security, there is a lot of specialization, and many consultants specialize in firewall, single sign-on and other work, he adds.
Other firms specialize in specific verticals such as financial services or health care, offering consulting services tuned to particular regulatory concerns.
But with ebb and flow in the security services market as some firms merge and lots of one- and two-person firms pop up, it's important to look for a track record, says Michael Halperin, vice president of technology at Akibia, an IT infrastructure services firm specializing in security.
"You want a company that you can kick the tires and say, 'This is an organization that's been around a while and will continue to be around,' " he says.
|Click here for a sample list of companies offering consulting and other information security services (PDF).|
Hiring a firm you haven't worked with can be unnerving, but security managers rely on various measures to vet prospective security consultants and avoid getting burned.
"With penetration tests, you have to be careful about the kind of firm you look at. Lots of people think they can do that type of work," says Rockford's Granneman. "It's the more glamorous portion of security--hack for a living."
One firm he tapped a few years ago simply ran a report off the widely used Nessus vulnerability scanner. But he's heard horror stories of organizations hiring pen testers who stole information or set up Trojans. Or, consultants and vendors will take vulnerability reports straight to management and claim the security group isn't doing a good job.
Integrity is the key characteristic Granneman looks for in a consultant, and he prefers to use ones that he's met personally and gotten to know. Starting a new consultant with a small project is another tactic he's used. Initially a little leery about a small consulting firm, he started it off on a small job--scanning one Web site--before allowing it to do a full network pen test.
Jeff Pentz, associate IT director of University Health Center at the University of Georgia, typically relies on recommendations from colleagues, and he's had good luck with the security firms he's used for vulnerability assessments and product advice.
"The ones that scare me the most are cold calls," Pentz says. "They say they're in security and they'll make you this deal on scanning your environment."
Like Granneman, he's heard stories of pen testers gone bad, so he's very cautious in hiring security firms. He feels more confident if a company has federal security clearances: "If they have that, you can be pretty certain they're not sharing information with anyone."
Interval's Hamidi also treads carefully before hiring a consultant, starting with references; candidates must have strong references relevant to the work at hand. Then there's the RFP and statement of work to spell out what needs to be done, plus a non-disclosure agreement, even for initial conversations with a potential consultant. Contracts come with detailed service-level agreements. Consultants also must sign a one-page document agreeing to abide by Interval's information security policies.
Once Interval does hire a security consultant or VAR, it assigns a "mentor" to monitor the person and make sure he or she only has access to what is needed for the job. If consultants need access to another department or building on the Interval campus, the mentor shadows them to the other location.
"It's not an exact science, but I think we are doing the best we can do, not only in the selection process but also in ensuring that once they come on board, that we take every precaution to ensure that we're covered from a security perspective," Hamidi says.
References and talking to peers are critical when looking for a security consultant or evaluating small firms, MacLean says: "Reputations spread pretty quickly. ...For such a large industry, it really is small."
Making it Work
Of course, once you engage a security services firm and the work begins, it's important to keep an eye on things and communicate regularly, MacLean says.
Steady communication will head off potential problems rather than waiting until the end of a project, she added.
Make sure the consultant is sticking to timelines, advises Gregory Thomas, vice president of IT at New Jersey-based Managed Healthcare Associates. "You have to manage them, work with them and have someone who is technical enough to understand what they're doing," he says.
Oftentimes, a consultant or integrator that works over time in partnership with an organization to address security problems can be ideal for both sides.
As for Lockton's Robinson, now that he's found not only an efficient but trusted partner, he knows whom he'll call if he needs help with other security projects. The company is trying to raise security awareness of its employees and has already gotten some feedback from FishNet on that front. "I would reach out to them first," he says.