Second-Opinion Security Audits

Updated: January 09, 2009



How secure is your business's IT infrastructure? You probably feel that you've taken all of the necessary steps to protect your company's systems and data from attackers, vandals, thieves and various other digital evildoers. But that doesn't mean that everything is really secure. To ensure complete IT protection, you'll need to seek an outside view.

External advice and insight is an essential part of a truly comprehensive security audit. That's because familiarity breeds numbness. Everyday processes, practices and procedures can lull even the sharpest in-house IT experts into complacency, causing them to miss key vulnerabilities. An outside consultant will approach your business with an open mind and a fresh slate, assessing its security needs objectively and then comparing current safeguards to best practices used by other firms in the same industry.

Here's how to find a security consulting firm to help you perform such an audit.



1. Start looking. Use search engines, local and national media, trade associations, and professional contacts to find consulting firms that meet your needs. It's also a good idea to turn to your local chamber of commerce or local small-business development center for input.

2. Narrow the field. Short-list five or six firms that appear to be the best matches and ask them to submit proposals.

3. Assess expertise. With the proposals in hand, it's time to begin evaluating the various contenders, beginning with each firm's skills and knowledge. Does the firm have experience with your type of company? Does it have a track record of working with the technologies used by your business? Will it be able to handle the work with its own staff, or will it have to subcontract?

4. Judge credibility. How long has the firm been in business? Is it reliable? Be sure to check references and get referrals from other companies in your industry.

5. Compare philosophies. An audit is as much an art as a science, so find a consulting firm that agrees with your views on security needs and practices.

6. Set a schedule. To minimize disruption and control costs, the audit should be conducted as quickly as possible without sacrificing thoroughness and accuracy.

7. Specify documentation. A complete audit generates a lot of digital and traditional paperwork. In fact, documentation — highlighting security vulnerabilities and solutions — is the primary reason for conducting an audit. Since documentation is so critical to an audit's success, both parties must agree in advance on the materials' format and coverage range.

8. Calculate fees. Consulting firms bill in various ways: a flat fee, an hourly or daily rate, or an ongoing retainer. Regardless of the billing method a particular consulting firm uses, it should be able to break down the cost structure and allocate costs to different project stages or tasks. In any event, it's vital to receive accurate and precise fee information before any work begins.

9. Sign the contract. Once all of the terms are acceptable, it's time to seal the deal. Make sure that the contract specifies the audit's scope, including the starting and ending dates, stage deadlines, project deliverables, fees, and so on. Even if there's no formal contract, make sure the project's details are written down and mutually agreed to.

Related Categories
Featured Research
  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more