Cybersecurity is a vast field within the larger realm of IT. And let’s be frank, no firm can be great at everything.
It’s important that vendors embrace their limitations, and that they have partners or referrals with complementary specialties. That way, they’re not trying to do everything by themselves.
When it comes to hiring a cybersecurity firm, you need to be thoughtful about what specialties you’re looking for. In many cases, strong security depends on your team having more attention to detail than the attackers.
If your hired firm is trying to perform beyond its expertise or experience, you might still get good service, but the attention to detail certainly won’t be world-class. And when it comes to security, there’s a lot riding on those outcomes.
Hiring a cybersecurity firm should result in you getting the best people and services to deliver the ideal outcome for your security needs. Continue reading for all of Black Kilt’s tips and tricks on successfully hiring a security firm for your engagement.
Misconceptions About Hiring a Cybersecurity Firm
It’s important to have realistic expectations for what a cybersecurity engagement will look like. People often assume that engagements will be straightforward and quick without doing an honest assessment of their state of affairs.
In the forensics space, I commonly see clients expecting some sort of CSI television magic. They assume evidence can be produced with only a few keystrokes because of how easy it must be to capture everything electronically.
Unfortunately, the reality is that forensic work is really hard, and success in finding that evidence often requires inside knowledge of specific keywords and business terms to search for. Dropping a forensic analyst on the network and expecting them to find evidence without any context will rarely produce the desired result.
Compliance is another area where engagements often hit a wall. Passing audits is important for everyone, but organizations that view compliance as a simple checkbox exercise are in for some trouble with their engagement.
Without a solid understanding of both the spirit and letter of a particular requirement, the controls become misguided and heavy-handed. Oftentimes, those engagements miss the mark entirely, which ultimately results in a failed audit.
Along similar lines, many clients have unrealistic expectations about audit requirements and achieving their compliance. It’s not uncommon for people to call one to two months before a major audit deadline, assuming that they’re already close to the finish line.
Frankly, in most of these cases clients significantly overestimate their current situation, and as such, underestimate the gap to achieve actual compliance. That overconfidence makes engagements very difficult.
If you’re fooling yourself about your state of affairs, it’s not going to bode well for your engagement. Unrealistic expectations, unreasonable timelines, and an unclear understanding of current baseline assumptions will result in a negative engagement every time.
5 Things to Look for When You Hire a Cybersecurity Firm
Once you’re ready to start pursuing a firm to help you with your cybersecurity engagement, prioritize looking for firms that excel in the following five areas.
Experience
Anyone can read, study, and obtain security certifications—what you’re paying for with a firm is their experience.
The hands-on work that a company and its employees have done in the past is the best indication of future performance. If somebody has done this work before, they’re going to be able to do it again.
This includes experience that is applicable to your own industry and projects. Some aspects of security can be transferable across industries, but others are not.
For example, manufacturing often requires industrial and shop floor controls. They also often have isolated networks for very large, expensive, and dangerous equipment.
Firms that specialize in finance security probably won’t be successful in that shop floor engagement, because those types of controls and networks don’t exist in the finance sector.
Strong Reputation
You should be able to easily get referrals or references from good firms as well. If they have current or former clients that are enthusiastic about their services and are willing to vouch for them, then that’s a good sign.
On the other hand, if referrals to happy clients are hard to come by, you’re probably going to be better served elsewhere.
Insurance Coverage
Again, any business can set up a sign and say they’re offering security services. Only the companies with skills, reputation, and a proven track record are actually going to be able to obtain the needed level of insurance coverage to engage with large clients. This is especially true for cyber coverage.
Insurance coverage is something that can be a distinguishing factor between independent consultants and smaller shops. The firms that are able to obtain full insurance coverage are the ones that can get the job done.
High Ethical Standards
There’s a very fine line between the white hats and the black hats, and anybody who’s willing to cross that line on the business front will probably be willing to cross it on other fronts as well.
You want a firm that is squeaky clean and holds itself to the highest standards of conduct personally and professionally. Do not compromise on ethics when you’re hiring a firm.
Clear Vision for the Partnership
As a forward looking best practice, it’s important that the firm you hire helps you understand what the partnership is going to look like as a result of the engagement.
The security firm is going to be hired to perform some specific tasks or functions, which could either be operational or ongoing responsibilities. It’s important to understand what the future state of the operational structure will be.
Who’s going to be responsible for what tasks? How will the firm work with the existing client organizations and its customers? What’s the engagement model?
Any organization that underestimates that level of complexity is probably going to be in for a rough engagement, so the security firms that think ahead and ask those difficult questions are far more likely to be successful.
If the firm shows that they’re able to plan ahead and present a clear vision for the engagement, they’re also less likely to just be peddling vendor technology and tools.
Related: 7 Mistakes to Avoid When Hiring a Cybersecurity Firm
What Factors Aren’t Important During a Search for a Firm?
As organizations look to hire security firms, they’ll sometimes get caught up in wanting a large firm, or one with a certain type of organizational structure.
Neither of these elements should be deciding factors. In fact, if you base your search off them, you’re probably going to end up overlooking an ideal candidate for your engagement.
Size
A lot of clients incorrectly believe that size is a significant factor to success. In reality, size in this case can actually be inversely proportional.
It is true that larger firms are likely to have more in-house domain expertise, plus a larger variety of consultants with a wide array of skills.
But the reality is that in order to keep that large business machine running, those consultants and those skills that you so badly need are most likely already assigned to other billable projects.
At best, you may end up with part of that consultant, who is probably already doing double duty with other projects. There’s going to be a lack of focus on your problems, and your project will end up with a result that’s less than complete.
Business Structure
Clients will often inquire about a firm’s business structure, or they’ll put weird restrictions on how a firm is going to fulfill the engagement.
They might say no subcontracting, outsourcing, or other strategies. The reality of an engagement is that it’s the firm’s job to manage those items during planning — not the client’s.
Instead of telling your partner how to manage their business, it’s more important that you focus on your specific regulatory need, or other requirements that the firm may need to be aware of in order to fulfill your contract successfully.
As an example, instead of telling a firm that they can’t do any offshoring, make them aware that you have a U.S. export control need for aspects of your project. If the firm believes that it can still meet the U.S. export control requirement and use some level of outsourcing to deliver your project, then that’s on them to make it happen without violating export control requirements.
Hold them accountable to prove that, but don’t tell them that they can’t offshore the work because parts of your project require export control.
Begin An Engagement With Black Kilt Today
As a boutique firm with very low overhead, we have the flexibility to respond to changing client needs. We only hire consultants with deep industry expertise and a wide array of security skills and capabilities.
We don’t play favorites with vendor tooling, offering support for all of the leading tools and technologies. Rest assured that we will be focused on solving your business problems instead of improving our bottom line.
Here at Black Kilt, integrity is of utmost concern. We have zero tolerance for integrity violations — our clients will tell you this without hesitation.
Contact us for a free consultation for your project and ask us for a client reference today.
