Navigant's Cyber Risk and Information Security PracticeLearn More


What to Consider When Selecting a Cyber Security Firm06 July 2016

Academia, Financial Services, Healthcare, IT Security, Non-Profit, Risk Management

There were more than 60,000 data security incidents across a wide range of industries in 2015, according to the Verizon 2016 Data Breach Investigations Report. The rapid increase in such incidents and breaches has driven sensitive data-protection improvement to the top of organizations’ priorities list. Very few companies possess the necessary in-house security expertise to fully address security across the three pillars of cyber security; however, those that do often need to supplement said in-house know-how with external cyber-security expertise. Cyber security is not unlike the medical field in terms of the implausible assumption that an orthopedic specialist is also an expert heart surgeon. It is a broad and complex field encompassing unique specialties, skillsets, tools and expertise.

Organizations that decide to hire a cyber security consulting partner, several factors must be considered to ensure they contract a long-term partner with the right knowledge, experience and the tools necessary to provide comprehensive, practical security solutions. Such factors include the following:

  1. Primary focus on cyber security: The firm must do this across all three pillars—not just an add-on to other services, such as information technology, legal and accounting;
  2. Enterprise risk-management approach: A holistic, strategic approach with a focus that goes beyond technology;
  3. 100%-vendor agnostic: The firm must not have existing business relationships with hardware and/or software vendor(s) that could represent a conflict of interest (if they’re not vendor-agnostic, their advice will likely be biased);
  4. Customizable service offerings: The firm must offer services that can be tailored to your organizational environment and needs—not a one-size-fits-all approach;
  5. Long-term-relationship focus: The firm must invest the time to learn your organization’s unique needs (irrespective of how similar organizations look on paper);
  6. Specialized insurance coverage: Technology errors and omissions insurance that specifically addresses security and privacy consulting;
  7. Diverse client base: This enables you to leverage the experiences and lessons of other firms; and
  8. Mix of government and commercial experience: This enables you to benefit from government and commercial cyber security best practices.

To ensure you hire a firm with the appropriate objectivity, experience, knowledge and tools, all of the above-listed factors must be investigated prior to selecting a cyber security partner. A lot of firms have jumped on the cyber security-consulting bandwagon, trying to capitalize on the media’s data-breach hysteria.

Effectively protecting your data is not a one-time initiative, but rather an ongoing risk-management process. Thus, you must ensure that the cyber security-consulting firm you select is a viable long-term partner.

Don’t allow the complexity and scope of cyber security prevent your organization from implementing an enterprise risk-management-based approach. COMPASS provides a practical yet comprehensive approach to cyber security. To learn more about our approach and how we can help protect your organization, please contact us.

Work With Us Learn How