Cracking Cybersecurity Consulting: Rules of Engagement, How do we control the impact of the consultant?

Cracking Cybersecurity Consulting: Rules of Engagement, How do we control the impact of the consultant?

Ninth article in a 12-part series on “Cracking Cybersecurity Consulting”

Certain cybersecurity projects can be invasive. For instance, take penetration testing as the most requested example. This form of testing has a goal of actually “penetrating” your network and is, by definition, an “offensive attack” on your environment.

If you are going to pay someone to break into your organization, the best practice is to establish some “ground rules.” So, whether you are doing full penetration testing, vulnerability scanning, or even just a risk assessment, rules of engagement are paramount for success.

You might be thinking, “I just signed a consulting agreement. Why can’t that govern the project parameters?” The short answer is that an agreement is generally not going to address how the project should be conducted. It will also likely not include the detail that is necessary to engage in the communication and execution protocols specific to the cybersecurity project.

What should be in your rules of engagement for a cybersecurity project?

1.      Roles with contact information: You want to make sure that you can get in touch with your cybersecurity contact if anything happens during the project that needs immediate attention.


2.      Communication plan: Your plan should include escalation pathways and communication tools and systems to use/follow.


3.      Engagement overview: This will provide more detail than the original consulting agreement and will include specific parameters for different phases of the project.


4.      Timeline: Any well-managed project will have a schedule and timeline for completion. Get your consultants to stick to a timeline by adding it into the rules of engagement that you agree on.


5.      Change in scope management: Include a method to change the scope of the project and the appropriate parties who may make those decisions. Cybersecurity projects often exceed scope, and there has to be an easier way to manage that dynamic than simply “going back to the drawing board.”

All cybersecurity projects are unique, but there are many aspects to project management that help to mitigate risks involved in these technical engagements. In addition to protecting your organization, providing clarity and communication with rules of engagement makes for a better working relationship for all involved parties.

Finally, after a project is complete, the last step is to actually do something with its findings and results. Our closing articles will cover how to understand the final deliverable (client report) and continue to improve your cybersecurity program. 


For more information and to discuss the consulting services that are right for your organization, contact Violet Sullivan, Esq. CIPP/US, Cyber Security Consulting Practice Manager, 760-916-4477 or email vsullivan(at)eplaceinc.com.

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics