Hiring an information security vendor? Use these best practices.

Companies should take great care when hiring a party that will be granted access to its most sensitive systems and data

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

The exponential rise in security incidents has caused many businesses to look hard at getting their own houses in order before they become the next headline. As part of those efforts, businesses are turning to security consultants to perform audits, penetration testing and other assessments of their systems. These are admirable activities, worthy of consideration by any prudent organization. But these engagements should be entered into with all the care that a business would use in any other transaction in which a third party is granted access to the company’s most sensitive systems and data. Unfortunately, this is seldom the case.

All too often, in their rush to move forward with these assessments, businesses fail to adequately address the most fundamental of contract terms. Cost overruns are common. In some instances, security consultants create more risk than they resolve.

In hiring a potential security consultant, businesses should consider the following best practices:

Use an RFP. If timing permits, the use of a request for proposals (RFP) process will aid the business in receiving the most creative proposals, with the best pricing and contract terms. Vendors that know they are in competition with other respondents will be far more inclined to negotiate than those that believe they already have the business.

Conduct due diligence. Whether or not an RFP is used, take the time to conduct due diligence of any prospective security vendor, including contacting former and existing clients (and not just those clients named on an approved reference list furnished by the vendor).

Negotiate as you would with any critical vendor. It is an ugly truth that most businesses simply do not negotiate their security consulting agreements with the same level of care that they apply to other critical vendor agreements. At best, this may lead to serious cost overruns. At worst, this may result in the very compromise of sensitive business data the company was trying to prevent.

To continue reading this article register now

NEW! Download the Fall 2018 digital issue of CIO