Category: Corporate

How to Select a Cybersecurity Consulting Firm

As businesses and individuals have increased their digitization activities, cybercriminals now have a larger surface to conduct malicious activities with their sophisticated cyberattacks. The cost of data breaches is estimated to exceed $2 trillion in 2019, which is four times the 2015 projections. [1]

Most data breaches come from existing physical, network, and application infrastructure. In addition, emerging threats are targeting newer technologies, such as mobile, cloud, and the Internet of Things (IoT). Organizations also face risks that originate from insiders, including current and former employees, consultants, business partners, or board members. The 2019 Verizon Data Breach Investigations Report revealed that 34% of data breaches are caused by internal actors. [2]

As cyber threats rise in number and complexity, information security is essential for businesses of all sizes. Selecting a reliable and trusted cybersecurity firm is a key step towards securing your business’s information assets and digital presence. To start, the cybersecurity firm will identify your company’s assets and security needs, which can be achieved by conducting a risk assessment.

You can use the table below as a guide for identifying key security requirements and a service provider. 


Cybersecurity RequirementService Provider Description
Physical Security Organizations can contract companies that offer asset protection through access control applications, surveillance (CCTV cameras), intrusion alarms, barriers, and security personnel.
Network Security Network security providers that offer comprehensive assessments and penetration tests of network architecture and examine the security of local networks, intranets, and internet connections.
Cloud Security Cloud providers with top-of-the-line perimeter firewall, intrusion detection systems, event logging, data-at-rest and in-transit encryption, and data centers with strong physical security.
Mobile Security Providers that secure your mobile infrastructure with effective mobile device management strategies, mobile communication encryption, and management of apps used on the device
IoT SecurityIoT security solutions that feature endpoint protection and management, secure communications, alerts, and crisis communication.
Application SecuritySecurity service providers that protect business software from deploying either in house developed or commerical applications with vulnerablities. An expert reviews the application design, code, and development to mitigations to possible exploites before and after the software goes into production.
Organizational Security An auditor is brought in to review a company’s overall security posture and compliance with different standards, frameworks, or regulations. Such as SOC2, NIST CSF, CIS 20, GDPR, etc. Typically the deliverable are detailed reports with certificates, policy documentation, and security awareness training.
Event Correlation and Response A security operations center (SOC) collects data from application and host logs for analysis and performs relevant actions, such as sending alerts based on defined rules. They are experienced in data intelligence, fraud detection, vulnerability assessments, and digital forensics.

Improving cybersecurity requires an organization to work with many or all of the above service providers. But that approach can be costly and ineffective. Alternatively, you can hire an experienced chief information security officer (CISO) to handle the administration and oversight of these security providers. Although for many small and medium-sized businesses, this can be overkill. Most of the time, the sweet spot is leveraging an experienced virtual or fractional CISO consultant at a lower cost. A CISO consultant can focus on maintaining an enhanced cybersecurity vision and program for your business. This will allow you to effectively manage information technology risks, protect critical assets and ultimately ensure business continuity.

[1] https://www.juniperresearch.com/press/press-releases/cybercrime-cost-businesses-over-2trillion-by-2019

[2] https://www.varonis.com/blog/insider-threats/

Read More