Cracking Cybersecurity Consulting: How Do We Understand the Final Deliverable?

Tenth article in a 12-part series on “Cracking Cybersecurity Consulting”

The initial articles in this series focused on vetting, negotiating, and contracting potential cybersecurity vendors. Once you’ve hired a solid team, let them do what they do best — their work. Of course, the team will likely have questions and need your input as well as access to technology related to the cybersecurity project. Just remember, the purpose of hiring a third party is to utilize their expertise and experience to test, audit, or challenge your company’s processes.

Hopefully, the “rules of engagement” mentioned in previous articles have been implemented to improve the communication and transparency between the teams. The contract itself should also help push this project toward a successful conclusion. As the end of the project nears, your cybersecurity vendor will likely have a final deliverable to help you make changes and fix gaps.

This deliverable has many forms, whether written or presented verbally, but what if the report contains too much technical expertise and cybersecurity jargon? What happens if your company doesn’t have internal personnel capable of interpreting the results? What if you are simply handed a heat map or a collection of graphics with words you can’t clearly comprehend? How do you turn the results into action items for your organization?

Things are made even more complicated with the worry that third-party reports could be discovered and used in future litigation.   This was the case for the litigation following Capital One’s 2019 data breach, so cybersecurity vendors are becoming more cautious about the format of their final reports.  

I’ve compiled commonsense reminders and tips to make sure the project doesn’t stop when the third party leaves your premises. The next step in “Cracking Cybersecurity Consulting” is to make sure you understand the results, so that they can be implemented to improve your overall cybersecurity risk posture.

For the final deliverable:

·        Schedule a debriefing and Q&A session with the vendor. It’s important to hear the suggested action items from the vendor’s mouth, so that you can get clarification regarding suggestions that are new to your team. Verbal sessions are good for cutting through the “fluff” found in reports. Plan to ask, “What are the biggest priorities?” or “What are the most important actions we should take following this project?”

·        Highlight terms that need to be defined. Depending on the technical level of your internal team, you might need a list of definitions included in the final report. Definitions vary widely in the cyber industry, so get clear on the terminology to ensure your team’s success during implementation.

·        Focus on the negatives. Many times, consulting reports include negative action items along with positive notes. This isn’t an attempt to hide the action items; it just ends up being part of the process when providing comprehensive information to organizations. Sometimes, the big gaps and improvements aren’t obvious enough, so review the report closely while looking for the big things that need to be addressed.

·        Ask for more consulting hours. If you truly don’t have a technically savvy team member in-house who can follow up on the provided recommendations, you may need to continue working with the third party until you have remediated any known gaps or areas of improvement.

Of course, none of this applies if you have an incredible internal technical team that can help interpret the results and set everything in motion in your existing infrastructure. In my consulting experience, though, this is rarely the case. There are many different levels of cybersecurity maturity within an organization, and there’s no harm in asking someone to translate, clarify, and provide further help if needed. After all, that might be why you went with a third party in the first place.

My next article will cover how to put a consulting report to use to strengthen your overall cybersecurity posture. 

For more information and to discuss the consulting services that are right for your organization, contact Violet Sullivan, Esq. CIPP/US, Cyber Security Consulting Practice Manager, 760-916-4477 or email vsullivan(at)eplaceinc.com.