How To Engage a Security Services Firm

By John Moore Print this article Print

An outside consultant can bring fresh insights on a company's security practices. Make sure you establish ground rules first.

An enterprise aiming for airtight infor-mation security typically establishes data protection policies, installs layers of technology insulation and trains employees to be on guard.

But even an organization sophisticated in the ways of security may bring in an outsider to review its measures. Specialized consultants perform assessments that aim to identity weaknesses in customers' security approaches. In some cases, industry regulations may require these third-party assessments, sometimes referred to as security audits. In other cases, I.T. managers just want another pair of eyes to check the company's security posture.

"Nobody is good at finding their own typos," says Johannes Ullrich, chief research officer at the Bethesda, Md.-based SANS Institute, which provides information security training and teaches security auditing. "It's the same thing with network design and writing code. You expect it to work in certain ways, and you may not find the holes in-house."

Gartner predicts that the North American security consulting market will reach $3.39 billion in 2010, up from $2.56 billion in 2006. The research firm pegs the market's compound annual growth rate at 7.5%.

"A significant driver for network, host and application assessments, vulnerability scanning, [penetration] testing and audits is regulatory compliance," says Kelly Kavanagh, Gartner's lead analyst on security services.

When hiring a security services firm, enterprises must exercise considerable due diligence and carefully define the scope of the project, according to security managers and industry experts who recommend the following four steps for picking and working with security services firms.

This article was originally published on 2007-03-09
John writes the Contract Watch column and his own column for the Channel Insider.

John has covered the information-technology industry for 15 years, focusing on government issues, systems integrators, resellers and channel activities. Prior to working with Channel Insider, he was an editor at Smart Partner, and a department editor at Federal Computer Week, a newspaper covering federal information technology. At Federal Computer Week, John covered federal contractors and compiled the publication's annual ranking of the market's top 25 integrators. John also was a senior editor in the Washington, D.C., bureau of Computer Systems News.

eWeek eWeek

Have the latest technology news and resources emailed to you everyday.