Cracking Cybersecurity Consulting: When do you need a second opinion?
Fourth article in a 12-part series on “Cracking Cybersecurity Consulting”
Your first referral vendor might blow you away with their credibility, professionalism, and knowledge of your project’s subject matter. So why not just call them up and begin moving forward? That could work out, but you will have lost out on additional opportunities for value and security that even just a small amount of further due diligence could yield.
Speaking from experience, cybersecurity consultants are used to being compared to one another and are often competing for projects of all sizes. Our company has been asked multiple times for a proposal just to compare to a different proposal already obtained by the prospective client.
Asking for a second or third proposal can be helpful for multiple reasons:
New perspective. After receiving a project outline from one consulting company, it’s a good idea to check their project approach against the methodologies of other competitors. If the competing companies are doing things totally different, then it’s likely the initial company is not as reliably experienced. But even if the differences are reasonable, this gives you more to ask about the technical testing process. Questions such as “Why are you doing it this way?” and “How would you feel about approaching it in this other way?” amplify your position as a prospective client and ensure that you get the most comprehensive service available. Plus, comparing companies helps to determine which consulting group has a better understanding of your project’s subject matter. Well-informed cybersecurity consultants will be able to explain their reasons for going about a project in their recommended manner.
Better pricing. Sometimes, but not always, competition among vendors can lead to a better price. Cybersecurity consulting has sometimes been a “race to the bottom,” and comparing projects from multiple sources can help drive down the price of even the most qualified vendors in the business.
Recommended by LinkedIn
Better referral. Check to see if you received a discount for this project from your cyber insurance. Many cyber insurance carriers have certain cybersecurity companies that offer a discounted rate for their insureds. Using a referral from your cyber insurer might even provide an argument for a lower premium the following policy year. You are, after all, working on becoming a “better risk.”
Different credibility. Every team member of a cyber vendor has a different level of expertise and experience. So, if you have only talked with business development leads, for example, then ask to speak to the people who will actually be performing the technical work. Request to see the bios, certifications, and backgrounds for the technical project leaders. Certain work should be done by high-level experts, but some things like vulnerability scanning just require the right tools and, therefore, don’t need to be managed by the most expensive experts.
Better industry experience. Cybersecurity consultants often find their niche of industry work, whether it be healthcare, financial services, or another sector. You should ask for referrals from others in your same industry or sector. Experience here can really help get the most out of the project you are considering.
Once you have gathered multiple proposals, you have options to present to your organization’s security committee and/or senior leadership. With multiple potential partners, you are more informed as to the project parameters and have a better idea of the pros and cons of working with either party. The next step might actually come before you make the choice between vendors, so follow along in our next article: “How do we properly ‘vet’ the consulting vendor?”
For more information and to discuss the consulting services that are right for your organization, contact Violet Sullivan, Esq. CIPP/US, Cyber Security Consulting Practice Manager, 760-916-4477 or email vsullivan(at)eplaceinc.com.
Director at the Texas Opportunity & Justice Incubator (TOJI)
3yVery excited to read each of these new installments from your series Violet!
A 2nd opinion from a hacker's perspective would always be helpful.
Litigation Management Expert. Providing Tools and Strategies for Litigation via Early Case Assessments, Decision Tree Analysis, and Crowdsourcing Juror Opinions. All opinions are my own.
3yGood article! Even if the proposals were identical in methodology and price, having more than one choice means the vendors are more likely to compete and offer something extra (like a discount).
Florida Supreme Court Certified Circuit and Appellate Mediator
3yGood article. Strangely enough, this should be common sense. We always suggest getting second opinions for medical procedures, we "shop around" for various types of insurance (auto, health, life, etc.), and yet sometimes people get sucked in with the first offer. Absolutely you should shop around. That doesn't mean the first person you speak to isn't credible, it just means there are (potentially) different perspectives. Always remember the consultant/salesperson you are speaking to has one primary goal: make the sale to you. It's your responsibility to be educated. This article, written by a brilliant cyber security expert, could translate to almost anything on the market. "You should always get a second opinion when shopping for ______________." That being said, if Violet tells you something, write it down. It's like the old commercial "my broker is EF Hutton, and EF Hutton said..."
CISO | Board Member | AIML Security | CIS & MITRE ATT&CK | OWASP Top 10 for LLM Core Team Member | Incident Response |
3yGreat article ! I hadn't considered the opportunity for better pricing.