How To Engage a Security Services Firm - ' Use caution when choosing '

Use caution when choosing a firm

When it's time to evaluate vendors, the most fundamental attribute is integrity. After all, the company hired to perform the assessment will be gaining keen insights into an organization's security mechanisms.

"First and foremost, are they reputable?" asks Dave Morrow, chief security and privacy officer at Electronic Data Systems, which occasionally hires outsiders to perform penetration tests, security assessments and vendor-specific technical consulting and also serves as a security adviser to customers. "You want to make sure whoever it is, is totally trustworthy."

To determine a vendor's trustworthiness, check its customer references and track record. Obtaining references can be tough, however, because assessment customers may be guarded about disclosing security issues. But ultimately, I.T. peer networks drive much of the business. A technology manager may ask his or her counterpart at a business partner for the name of a reputable security auditor.

The ADP/SIS division of Automatic Data Processing's Brokerage Services Group based its decision to hire BSI Americas, in part, on the word of another consultant retained to advise ADP/SIS on a security certification project, says Lisa Carpenter, lead information security specialist at ADP/SIS.

BSI Americas, based in Reston, Va., is a testing and certification firm that offers security assessment services. Carpenter's past experience also played a role: She had previously worked in the aerospace industry, in which a number of firms use BSI.

"A lot of the audit work we get is through word-of-mouth and recommendations," adds Jennifer Mack, product management director at Cybertrust, an information security firm in Herndon, Va.

A buyer should consider whether the vendor has experience within its industry and has dealt with customers with a similarly sized technical infrastructure. "Match the size of your network and industry to the kind of consultant you hire," SANS' Ullrich advises.

Industry alignment is important because some sectors have specialized auditing requirements. That's the case for the Payment Card Industry Security Standards Council's data security standard, which establishes guidelines for retailers' handling of credit card data. Among other things, the standard calls for the transmission of card-holder data across public networks using encryption techniques such as Secure Sockets Layer and Point-to-Point Tunneling Protocol.

Another important factor: the vendor's deliverables. The report that emerges as the end product of a security assessment can range from sketchy to highly detailed.

"We look at the quality of the report they actually give you," says Eric Guerrino, head of information security at the Bank of New York. "Some vendors will provide you a report of findings—we tested the application using these methods and found these issues. Other vendors will actually highlight where in the code they detected the issue, and go a step further and recommend how the application team should resolve that issue."

Customers may request a sample report to get a sense of what the deliverable will look like beforehand. Jeff Cassidy, vice president of business development at Core Security, a Boston-based company that provides penetration testing tools and services, says most requests for proposals he receives call for vendors to provide an example of what the deliverable will look like. A vendor might include a sample report on a fictitious company to give customers a flavor for what the report will entail. Or the vendor might offer an outline with subject headings describing the main parts of the report.

A sample report from ERE Information Security Auditors, a Toronto security auditing firm, includes an executive summary, risk assessment and cost justification, project scope, and findings and recommendations. The report also has a task list based on a client's vulnerabilities.

According to Cassidy, customers consider these report examples "a pretty important piece of the evaluation process."