Cybersecurity consulting services are growing rapidly. This makes sense as cyberattacks and data breaches continue to rise. Existing companies and new start-ups alike are in a rapid race to solve, mitigate, and prevent cybersecurity incidents from occurring in the first place.

Cybersecurity consulting can range from simple one-time cyber risk assessments to fully-managed security services. Consultants can also range in size and scope from a one-person shop or a team of credentialed security experts from one of the “Big Four” in the consulting industry.

No matter where you seek help for your cybersecurity projects, the trouble with these highly technical services is that you usually need someone just as technical on your side of the collaboration to help interpret a project’s results. The services rendered are usually highly technical, and some translation is often necessary in order to provide senior management and the board of directors with understandable results.

On behalf of ePlace’s cybersecurity consulting practice, I will begin publishing a series of consulting papers to help “lift the veil” on these issues to give organizations a clear view of the cyber projects they are paying for. While some consultants may not wish to openly share various tools of the trade, we at ePlace think clients deserve total transparency within this growing industry of cybersecurity consulting services.

Let us begin with the following questions we receive most often:

·        How do we pick a reputable cybersecurity consultant?

·        How do we align on the project scope?

·        When do you need a second opinion?

·        How do we properly “vet” the consulting vendor?

·        How do we negotiate the best price for the project?

·        How do we protect ourselves throughout the consulting agreement?

·        How do we protect ourselves from potential security exposure?

·        Rules of Engagement: How do we control the impact of the consultant?

·        How do we understand the final deliverable?

·        How do we take the consulting report and put it to use?

·        How do we continuously improve your cybersecurity program?

I will review each of these questions in more detail and give you tips for working with your third-party cybersecurity consultant. Since I am a cybersecurity consultant, myself, my goal is to answer all of these questions and more to provide you with an objective overview and resources for those embarking on engaging a cybersecurity consultant.