|
||
Research and retrieval of news articles by: SPECIAL NOTE TO ALL VISITORS: |
HOW AND WHEN TO USE AN IT SECURITY CONSULTANTSource: E-Security TodayPosted on July 2, 2001 No one has escaped the "softening" of the economy; most industry sectors have been affected. Not surprisingly, however, the security industry - although it certainly has taken a hit - seems to be holding its own. After all, technology is still big business, and organizations are increasingly concerned about the security of both their internal and external applications and e-business initiatives. But it's not always practical to accomplish all of your security objectives with in-house personnel. In fact, according to a "Smart Security" survey by Smart Reseller magazine done last year, more than 25% of solutions providers received at least one security-related call per week. And more than 60% received calls from customers looking for security help at least once a month. According to Eran Feigenbaum, senior manager in the security integration practice with PriceWaterhouseCoopers, there are many things to consider when investigating and selecting a security consultant for your project. "Security engagements generally fall into two categories," said Feigenbaum. "Customers need an assessment of security vulnerabilities or an actual implementation." Attacks and penetration of corporate networks, security reviews and vulnerability assessments top the list. Implementation assignments typically focus on PKI implementations, IDS or single sign-on. Firewalls and antivirus software have become more commoditized products and are no longer on the top of the customer list for consulting needs. The motivation to use consultants for e-business engagements requiring strong security includes the fact that the consultant has specialized skills with products in the arena, the consultant can provide an impartial and objective assessment of the customer's needs, and consulting is a cost-effective method of getting security solutions installed. In addition, you can hold the consulting organization accountable, for the most part, for the results. So what do you look for when select a security consultant? Feigenbaum cites a number of important criteria. "The relationship with the customer is vital," says Feigenbaum. "Many large organizations have engaged with consulting organizations previously, and there's a rapport and trust that's developed that can't be discounted. You want a win-win relationship, with mutual respect and the ability to be honest, but yet accountable." In addition, it's extremely important that you research the specific capabilities of the consultant. They should have customer references that have contracted with the organization for similar implementations. Ask specific questions about the how the consultant will scope the project, standards, knowledge transfer and resource changeover when the project is complete. Depending on the implementation, your infrastructure could be significantly affected, so buttoned-up project management by the consultant is critical. "It's possible that you can negotiate timeline penalties with your consultant in order to provide a 'guarantee' of sorts that the project will be completed on budget and on-time," comments Feigenbaum. "In addition, the consultant may propose the flip side: a bonus for completing the project on, or before, the deadline and below budget." "Of course, there are many things that should be red flags in looking for a security consultant," reports Bob Pritchard, RSA Security vice president of corporate development and partner marketing. "Don't always look for the integrator with the lowest project bid. Pay close attention to the compendium of experience of the consultant. And make sure they have taken the time to understand your business and your requirements." If the accountability between client and consultant is kept at a high level, the project scoping and tracking remains tight, and there are clear objectives and assumptions, using a consultant for your most important e-security implementations can result in a successful, and possibly long-term partnership.
E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes. |
ALERT WebTrust Is Your Best Defense Against Privacy Breaches. Get WebTrust Working For Your Site. |