When you run a business that depends crucially on its technical and administrative information (and what business doesn’t?) then you’ll want to take steps to protect that data from loss or damage. One of those steps will often be to hire a computer security consultant to review your information security and suggest improvements that are aligned to your risk appetite and to best practice.
Security consulting is a unique kind of business. Like other kinds of computer consultancy, information security consultants need to be thoroughly up-to-date on industry trends and standards, and have an outstanding record of achievement for their clients. That’s taken as read. But other aspects of the information security business are less obvious, but are at least as crucial when you’re considering hiring security consultants.
You’ll be confronted by a deluge of complicated technobabble when exploring the services of various information security agencies. Step back and let it pass (forward it to your own specialists to decode if you wish), and then start asking some very different questions of the agency. Such as: “What is your view of integrity in a security contractor?” Or: “How do you ensure that your staff and freelancers are trustworthy?”
These are far from trivial questions. For example, penetration testing involves an attempt to breach your internal network’s defences, and has the potential to cause significant damage to your software and systems if carried out maliciously. For a penetration test to be performed by a security consultant with a criminal past is really not a great idea! You need to have confidence that all staff have been thoroughly vetted for criminal convictions etc., and that each computer security consultant is completely committed to values such as integrity, reliability, and discretion.
So how do you find that out? One possible indicator is membership of relevant industry bodies. For example, information security agencies in the UK may be members of CLAS (CESG Listed Advisors Scheme), while companies providing penetration testing (so-called “ethical hacking”) might also be members of CREST (Council of Registered Ethical Security Testers). Both these schemes vet the individual and the company, and require regular renewal of credentials. Freelance security testers may be members of the “Tiger Scheme”, though this does not address any company-related issues.
Another indicator is the national security clearance level of key consultants. In the UK, the basic level is SC (Security Cleared) for ad hoc access to documents marked “SECRET”, but for regular work on SECRET or access to more sensitive data the DV (Developed Vetting) level is necessary. The procedures involved in gaining clearance are rigorous and dependable, and include a check on criminal records and credit references. So you could find out the clearance level of the security consultants who will work with you, even if your project does not itself require this level of clearance.
Remember, the safety of your business data is ultimately your responsibility. It’s part of due diligence to investigate the trustworthiness of your information security consultants. Quite apart from all the technical and administrative questions that must be asked, you should also be asking these less tangible questions about integrity and values. Because, ultimately, you need to be able to trust the security consultant not to damage your critical business data: and that involves not only competence but also core values.