If you think that your network administrators, developers, and other IT personnel are providing cybersecurity and compliance expertise, I have some news for you: the vast majority of them aren’t. But that’s okay, because IT and cybersecurity are two different realms. There’s a difference between keeping your network systems operating and doing it securely.
You should never expect your IT staff to provide security expertise, just as you wouldn’t expect a payroll officer to provide accounting services. But you sure as hell better get a cybersecurity expert into your company — and without delay.
Many organizations realize at the worst possible moment that they don’t have the right staff to keep their systems secure. You’re humming along, doing your day-by-day operations, then it’s suddenly holy crap emergency mode. A client you can’t afford to lose is ready to walk away because you don’t meet their security requirements.
Or you have a game-changing opportunity, but you don’t meet the compliance standards and you’re out of the running.
Or, worst case scenario, your helpdesk phone tree is suddenly lit up like a Christmas tree because your company ended up with its name in lights on Google with a very public breach.
Filling the Security Expertise Gap
If you’re proactive, you have the opportunity to close this gap and get issues resolved before you have a holy crap moment. Hire a security and compliance expert who can help you meet the security demands of your business as your company’s needs evolve.
Unfortunately, hiring a full-time cybersecurity professional may not be as simple as you’d expect. The demand for security experts is expanding at an enormous rate, but the number of people in the field isn’t keeping pace. The cybersecurity skills gap is widening every day.
As a result, internal security experts come at a premium price. You can expect to hire a single well qualified security expert at two or three times the rate of average IT staff.
Another option is to hire a cheap security person, who is fresh out of college and still learning on the job. While you can save money up front, you’ll be spending at least as much on a full-time resource, but getting less expertise. In the end, you’re still overpaying while getting less protection for your company.
There is another option: hire a security and compliance consulting firm.
The Ongoing Value of a Security Consulting Firm
A security and compliance firm can provide assistance on a fractional basis. With a fractional security consultant, you get the full expertise you need at an affordable cost.
A fractional consulting firm can help you understand your current requirements for security and compliance, identify the gaps, help with provisioning sage guidance for remediation, and give guidance on how to move forward proactively.
They can also help you find various vendors (including Assessors) who are easy to work with and do a good job on their engagements.
Chances are, you don’t need a full-time security and compliance consultant, but you will need security services throughout the year, especially as your organization transitions into an operational compliance mode. A fractional appointment is an ideal arrangement, because it gives you the access when you need, at a price point you can swallow.
What to Expect with a Fractional Security Consultant
In general, your fractional security consulting engagement could operate in one of two ways.
Limited term engagement
In a limited term engagement, the security expert comes in, evaluates where your company is at, provides a series of recommendations, and walks away. I would not recommend that arrangement. While you can save costs by implementing the changes on your own and moving on, the consultant’s evaluation is only good as of that exact moment in time.
What happens when you add a new service, change hosting locations or you suddenly need to change vendors? What if a major client comes to you with new security compliance certifications that you need to comply with? No business is static, and your security and compliance profile will continually need to evolve along with your business.
Long term, you’ll be spending a lot more money (and wasting more time) calling in consultants to do more evaluations.
Instead, hire a consultant who will go in and do that initial assessment and provide recommendations, but who will also stick around to be part of the solution. Look for a fractional compliance consultant who will help you resolve your issues and offer ongoing, proactive expertise as your operations evolve.
An ongoing fractional security consultant can:
- Provide an ongoing presence to answer questions and help resolve issues
- Conduct internal audits
- Assist with changes and modifications
- Help you prepare for annual audits
- Come alongside you during your audits
- Offer ongoing guidance as new issues arise
- Provide peace of mind that you’re continually staying on top of security and compliance issues
A long term partner also knows your company intimately enough to provide you with customized expertise that meets your organization’s specific needs. Think of it like an accountant who knows your organization, your company’s goals, and your business structure. Their proactive consulting can keep you out of messy situations well before they occur.
What to Look for in a Security Consulting Firm
As with any important role, you need to hire for the right fit and not just for the right skills. There are plenty of security and compliance consultants who have adequate experience, but you need someone who understands your business and fits your organization.
Look for someone who knows has been in this space for years and has been battle tested. Even if you only have one or two security standards to comply with now, choose a consultant who has experience with a wide variety of certifications. It can also be helpful to hire someone with experience in a wide range of industries.
Ask colleagues and contacts for consultant referrals. Also ask them for any lessons learned in their own work with consultants — what to look out for, and what questions to ask during the vetting process. Security and compliance isn’t a one-time thing. Just because you’re secure today, that doesn’t mean you’ll be secure a month from now — even tomorrow is up for grabs.
Protect Your Company for the Long Haul
You wouldn’t leave your company’s accounting health to your internal payroll personnel — don’t leave your security to internal IT personnel either. Retain the expertise you need to set your company on a solid footing for ongoing cybersecurity protection.
TCT provides compliance consulting services, and we can recommend consultants who are at the forefront of the industry. Don’t go another day without the peace of mind that your company is in good hands, let’s talk about your compliance consulting needs.
Get equipped with insider expertise
Subscribe to the TCT blog