Second-Opinion Security Audits

Updated: August 20, 2012

Issue

 

How secure is your business's IT infrastructure? You probably feel that you've taken all of the necessary steps to protect your company's systems and data from attackers, vandals, thieves and various other digital evildoers. But that doesn't mean that everything is really secure. To ensure complete IT protection, you'll need to seek an outside view.

External advice and insight is an essential part of a truly comprehensive security audit. That's because familiarity breeds numbness. Everyday processes, practices and procedures can lull even the sharpest in-house IT experts into complacency, causing them to miss key vulnerabilities. An outside consultant will approach your business with an open mind and a fresh slate, assessing its security needs objectively and then comparing current safeguards to best practices used by other firms in the same industry.

Here's how to find a security consulting firm to help you perform such an audit.

 

Considerations



1. Start looking. Use search engines, local and national media, trade associations, and professional contacts to find consulting firms that meet your needs. It's also a good idea to turn to your local chamber of commerce or local small-business development center for input.

2. Narrow the field. Short-list five or six firms that appear to be the best matches and ask them to submit proposals.

3. Assess expertise. With the proposals in hand, it's time to begin evaluating the various contenders, beginning with each firm's skills and knowledge. Does the firm have experience with your type of company? Does it have a track record of working with the technologies used by your business? Will it be able to handle the work with its own staff, or will it have to subcontract?

4. Judge credibility. How long has the firm been in business? Is it reliable? Be sure to check references and get referrals from other companies in your industry.

5. Compare philosophies. An audit is as much an art as a science, so find a consulting firm that agrees with your views on security needs and practices.

6. Set a schedule. To minimize disruption and control costs, the audit should be conducted as quickly as possible without sacrificing thoroughness and accuracy.

7. Specify documentation. A complete audit generates a lot of digital and traditional paperwork. In fact, documentation — highlighting security vulnerabilities and solutions — is the primary reason for conducting an audit. Since documentation is so critical to an audit's success, both parties must agree in advance on the materials' format and coverage range.

8. Calculate fees. Consulting firms bill in various ways: a flat fee, an hourly or daily rate, or an ongoing retainer. Regardless of the billing method a particular consulting firm uses, it should be able to break down the cost structure and allocate costs to different project stages or tasks. In any event, it's vital to receive accurate and precise fee information before any work begins.

9. Sign the contract. Once all of the terms are acceptable, it's time to seal the deal. Make sure that the contract specifies the audit's scope, including the starting and ending dates, stage deadlines, project deliverables, fees, and so on. Even if there's no formal contract, make sure the project's details are written down and mutually agreed to.

Featured Research