In There are hundreds if not thousands of Indian Restaurants dotted around London. However, we all know that most of these places are not owned or run by Indians at all. You have a large number of Bangladeshi or Pakistanis owning and managing these establishments. But for convenience theres an unspoken rule that the owners will advertise their food as Indian cuisine and customers will always refer to it as going out for an Indian.
By and large, it is somewhat irrelevant whether youre eating a genuine Indian meal or not. You just look for one that will fill you up and not burn your insides. The same traits are displayed when organisations set out to hire an infosec consultancy. There are many consultancies out there. Most of them arent even really geared towards security which results in the your organisation's intestines exploding and an empty wallet.
So, to help you out, here are some things to consider when choosing an infosec consultancy:
Know what you want
First off you need to decide why you actually need an infosec consultancy. Is it because the work cant be done in-house? Or there are confidentiality issues? Or someone at the golf course just mentioned how their infosec team can sort out all of your problems?
Is it a real infosec company?
Many accountants, auditors, builders, pen-pushers, retired policemen, bankers, dolphin trainers, sperm donors and benefit fraudsters have somehow positioned themselves as infosec experts. But scratch beneath the surface a bit. Is this really a security company? Or another company trying to make some money off the security industry?
Whats their income model?
This is a touchy subject for many organisations out there. Does the company actually have an income model based around actually making your company more secure? Or do they simply want you to feel as if youre more secure by writing huge reports designed simple to keep a regulatory body off your back?
Track record not personalities
Does the consultancy have a track record in delivering the type of security youre specifically after? Or is it a consultancy solely built around a personality? Its not to discredit infosec personalities in any way, shape or form. But unless that personality will be delivering the consultancy themselves, its highly unlikely that youll receive any advice close to the level youll be charged for.
Follow fads
Check up on their research. Is the consultancy chasing after virtualisation one year and smart phones the next? Are they always looking over the horizon at the next emerging fancy threat, without having enough time to fix todays bugs? Do their service offerings change depending upon that weeks press releases?
Keeping it simple
Does the consultancy continually publish all these papers about how to protect you from these super-advanced techniques and exploits that very few people can actually develop, and most hackers will NEVER USE. Its the simple stuff that works now, and will continue to work years into the future. Security need not be complicated.
Understand the limits
You cannot outsource blame. You HAVE to take responsibility for your organisation's mistakes. Whether they be IT mistakes, vendor mistakes, even mistakes made by your most trusted employees. These are all security choices. You dont have to be an expert in security; you just have to make informed decisions to control your organisation.
This article was first published on www.infosecisland.com and is reprinted with prior permission from them.
Add new comment