How To Engage a Security Services Firm

An enterprise aiming for airtight infor-mation security typically establishes data protection policies, installs layers of technology insulation and trains employees to be on guard.

But even an organization sophisticated in the ways of security may bring in an outsider to review its measures. Specialized consultants perform assessments that aim to identity weaknesses in customers’ security approaches. In some cases, industry regulations may require these third-party assessments, sometimes referred to as security audits. In other cases, I.T. managers just want another pair of eyes to check the company’s security posture.

“Nobody is good at finding their own typos,” says Johannes Ullrich, chief research officer at the Bethesda, Md.-based SANS Institute, which provides information security training and teaches security auditing. “It’s the same thing with network design and writing code. You expect it to work in certain ways, and you may not find the holes in-house.”

Gartner predicts that the North American security consulting market will reach $3.39 billion in 2010, up from $2.56 billion in 2006. The research firm pegs the market’s compound annual growth rate at 7.5%.

“A significant driver for network, host and application assessments, vulnerability scanning, [penetration] testing and audits is regulatory compliance,” says Kelly Kavanagh, Gartner’s lead analyst on security services.

When hiring a security services firm, enterprises must exercise considerable due diligence and carefully define the scope of the project, according to security managers and industry experts who recommend the following four steps for picking and working with security services firms.