Your first referral vendor might blow you away with their credibility, professionalism, and knowledge of your project’s subject matter. So why not just call them up and begin moving forward? That could work out, but you will have lost out on additional opportunities for value and security that even just a small amount of further due diligence could yield.

Speaking from experience, cybersecurity consultants are used to being compared to one another and are often competing for projects of all sizes. Our company has been asked multiple times for a proposal just to compare to a different proposal already obtained by the prospective client.

Asking for a second or third proposal can be helpful for multiple reasons:

New perspective. After receiving a project outline from one consulting company, it’s a good idea to check their project approach against the methodologies of other competitors. If the competing companies are doing things totally different, then it’s likely the initial company is not as reliably experienced. But even if the differences are reasonable, this gives you more to ask about the technical testing process. Questions such as “Why are you doing it this way?” and “How would you feel about approaching it in this other way?” amplify your position as a prospective client and ensure that you get the most comprehensive service available. Plus, comparing companies helps to determine which consulting group has a better understanding of your project’s subject matter. Well-informed cybersecurity consultants will be able to explain their reasons for going about a project in their recommended manner.

Better pricing. Sometimes, but not always, competition among vendors can lead to a better price. Cybersecurity consulting has sometimes been a “race to the bottom,” and comparing projects from multiple sources can help drive down the price of even the most qualified vendors in the business.

Better referral. Check to see if you received a discount for this project from your cyber insurance. Many cyber insurance carriers have certain cybersecurity companies that offer a discounted rate for their insureds. Using a referral from your cyber insurer might even provide an argument for a lower premium the following policy year. You are, after all, working on becoming a “better risk.”

Different credibility. Every team member of a cyber vendor has a different level of expertise and experience. So, if you have only talked with business development leads, for example, then ask to speak to the people who will actually be performing the technical work. Request to see the bios, certifications, and backgrounds for the technical project leaders. Certain work should be done by high-level experts, but some things like vulnerability scanning just require the right tools and, therefore, don’t need to be managed by the most expensive experts.

Better industry experience. Cybersecurity consultants often find their niche of industry work, whether it be healthcare, financial services, or another sector. You should ask for referrals from others in your same industry or sector. Experience here can really help get the most out of the project you are considering.

Once you have gathered multiple proposals, you have options to present to your organization’s security committee and/or senior leadership. With multiple potential partners, you are more informed as to the project parameters and have a better idea of the pros and cons of working with either party. The next step might actually come before you make the choice between vendors, so follow along in our next article: “How do we properly ‘vet’ the consulting vendor?”