Security Consulting Services: What to Look for When Hiring a Consultant

Security Consulting Services: What to Look for When Hiring a Consultant

If you’re considering buying information security consulting services for your business, then you need to know what to look for in a security consultant.


At some point, many managers or directors will need to consider buying information security consulting services for their company. There are a lot of security consultants to choose from, and it can be confusing to assess their relative merits, especially if you’ve had little experience with information security. But there are some general pointers that can help.


Firstly, you need to find out whether the security consulting services are backed by membership of relevant professional bodies, and appropriate certifications. For example, in the UK, an information security consultant might be a member of CLAS (CESG Listed Advisor Scheme), which is run by a government body, CESG (Communications-Electronics Security Group), that is the UK Government’s technical authority on information security.


A CLAS membership means that the security consulting services provided are approved for data that is protectively marked up to and including the level of SECRET. CLAS membership also indicates a certain level of expertise that non-Government organisations can draw upon, even if their data is not protectively marked. In the latter case, however, CLAS membership should not be specified in any tender documents, as it might leave the tender open to challenge by non-CLAS security consultants.


Other memberships and certifications to check for are the following:


For penetration testers: either CREST (Council of Registered Ethical Security Testers), or the Tiger Scheme. Alternatively, a British company offering information security consulting services to government departments might be a member of CHECK (a UK Government scheme for IT “Health Checks”).

For security consulting services that focus on audit and compliance: CISA (Certified Information Systems Auditor) plus membership of ISACA (Information Security Audit and Compliance Association). Alternatively, chartered membership of an organisation such as the BCS (formerly known as the British Computer Society) may also indicate appropriate experience.

An information security consultant may have obtained the CISM (Certified Information Security Manager) qualification from ISACA, or perhaps the new CGEIT certification (Certified in the Governance of Enterprise IT) from the same body. Another ISACA qualification is CRISC (Certified in Risk and Information Systems Control). All these certificates relate to different emphases within information security consulting services.

THE CISSP (Certified Information Systems Security Professional) qualification is widely regarded as a “gold standard” for senior professionals in the field, and is awarded by (ISC)2, the International Information Systems Security Certification Consortium. It indicates not only competence but also several years of experience in information security.


However, memberships and certification are by no means the whole story. If you are considering buying information security consulting services, then you will also need to look at track record and testimonials from past clients. In addition, the security consultant’s website may be useful, though of course any failings will not be made obvious there.


To learn more about a consultancy’s financial trustworthiness, it may help to check with the business information service Dun and Bradstreet, or perhaps Companies House (in the UK). But after carrying out all these checks, there will be no substitute for a face-to-face meeting and your own educated business instincts. In the end, only you can decide whether you would be happy to work with the people who are offering you their security advice and services.


Harvey is passionate about getting you the best insurance deals possible.

Related Post