Whenever you run a business that depends crucially on its technical and administrative information (and what business doesn't?) then it is additionally vital to take steps to safeguard that data from loss or damage. One of those steps will often be to hire a pc security consultant to examine your information security and suggest improvements which are aligned to your risk appetite and to best practice. data security consulting
Security consulting is really a unique type of business. Like other kinds of computer consultancy, information security consultants need to be thoroughly up-to-date on industry trends and standards, and have a highly skilled record of achievement for their clients. That's taken as read. But other facets of the information security business are less obvious, but have reached least as crucial when you're considering hiring security consultants.
You will be confronted by a deluge of complicated technobabble when exploring the services of various information security agencies. Step back and allow it pass (forward it to your own specialists to decode in the event that you wish), and then start asking some very different questions of the agency. Such as for example: "What is your view of integrity in a security contractor?" Or: "How do you ensure your staff and freelancers are trustworthy?"
They're not even close to trivial questions. For instance, penetration testing involves an endeavor to breach your internal network's defences, and has the potential to cause significant injury to your software and systems if carried out maliciously. For a penetration test to be performed by a security consultant with a criminal past is really not a good idea! You have to have confidence that most staff have been thoroughly vetted for criminal convictions etc., and that each computer security consultant is totally focused on values such as for example integrity, reliability, and discretion.
So how will you discover that out? One possible indicator is membership of relevant industry bodies. For instance, information security agencies in the UK might be members of CLAS (CESG Listed Advisors Scheme), while companies providing penetration testing (so-called "ethical hacking") may also be members of CREST (Council of Registered Ethical Security Testers). Both these schemes vet the patient and the business, and require regular renewal of credentials. Freelance security testers might be members of the "Tiger Scheme", though this does not address any company-related issues.
Another indicator may be the national security clearance amount of key consultants. In the UK, the basic level is SC (Security Cleared) for ad hoc usage of documents marked "SECRET", but for regular work on SECRET or usage of more sensitive data the DV (Developed Vetting) level is necessary. The procedures associated with gaining clearance are rigorous and dependable, and incorporate a check into criminal records and credit references. So you might find out the clearance amount of the security consultants who will continue to work with you, even when your project does not itself require this amount of clearance.
Remember, the safety of your business data is ultimately your responsibility. It's element of due diligence to investigate the trustworthiness of your information security consultants. Quite apart from most of the technical and administrative questions that must be asked, you should also be asking these less tangible questions about integrity and values. Because, ultimately, you need to manage to trust the security consultant not to damage your critical business data: and that involves not merely competence but in addition core values.