Cracking Cybersecurity Consulting: How do we properly “vet” the consulting vendor?

Cracking Cybersecurity Consulting: How do we properly “vet” the consulting vendor?

Fifth article in a 12-part series on “Cracking Cybersecurity Consulting”

With multiple vendors to choose from, you have an important job to do. You have to ask the difficult questions before accepting a new vendor into your vendor management program. “Vendor management program?” you ask. “Who has time for that?” Well, a vital part of having a secure environment includes making sure that you properly screen all vendors that have access to your systems and networks. A vendor being hired to assess your cybersecurity should certainly be no exception to that practice.

The questions that you ask your vendors should meet a basic security objective for your organization. Don’t just fire off a 100-question vendor questionnaire without aligning it with your security goals.

Here are a few example questions that can help to determine if your vendor has the appropriate policies, procedures, and technologies to meet your expectations:

1)     Do you have a plan in place to restore access to data in the event of a business disruption?

2)     Do you test your business continuity and disaster recovery plans on, at least, an annual basis?

3)     Will the anticipated services require your company to collect or handle sensitive business information belonging to our organization or personal information of our organization’s customers, employees, or other stakeholders?

4)     Does your organization have policies and procedures in place to ensure compliance with all applicable laws, regulations, industry standards, and contractual obligations?

5)     Does your company carry insurance coverage with appropriate limits for the anticipated services?

6)     Does your company have a comprehensive, written Information Security Program in place?

The final (and, likely, most challenging) question would be to ask whether this company would be open to a third-party audit. While making that inquiry may be beyond the scope of your project, it is still a good question for gauging how transparent the company plans to be with you.

We have dozens of other example questions to ask, but there is no need to list all of them here in this article. You just want to be sure to ask the relevant questions of anyone that would be investigating your data or important systems. Such due diligence is proper for any new third party you engage and for any service. You have the right to properly interrogate a vendor before you pay them money to take a deep dive and “look under the hood” of your organization.

When you feel confident that you have chosen the right vendor for your project, this is an opportune time to revisit the cost of the project. Look for my next article on negotiating pricing before you sign the dotted line. 


For more information and to discuss the consulting services that are right for your organization, contact Violet Sullivan, Esq. CIPP/US, Cyber Security Consulting Practice Manager, 760-916-4477 or email vsullivan(at)eplaceinc.com.

Tom Franzen, CIC, ARM, ARM-P, MLIS

Risk Management / Insurance Education & Consulting

3y

Certainly a hot topic and at the top of my risk register, thanks Violet, I always look forward to reading your information.

Like
Reply

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics