Cyber security is one of those industries that usually has too much or too little attention paid to it. When a company is in the middle of a cyber security incident, all eyes and ears are on the cyber security team. When a data breach is nowhere to be found, security solutions are often seen as a hindrance to productivity rather than a benefit to the organization.
I really wish that information security had a more even keel, but it isn’t meant to be. A strong security team takes a swimming-duck approach to the information systems they protect: look calm above the water, but paddle like mad below the surface. Changing security architectures or systems involves a lot of work behind the scenes, but the impact to the day-to-day operations of the business should be minimal. This is where a cybersecurity consultant can add so much value.
Cyber security consultants take many forms. Entry level individuals are strong individual contributors. Mid-level consultants normally have a bachelor’s degree and a deep knowledge of security threats. CISO-level consultants that have over a decade of experience in a wide variety of industries and technologies.
The best time to bring in a cyber security consultant is BEFORE a cyber incident forces the need for their expertise. Incident response is much more expensive than proactive cyber security consulting. Consider a consultant when your company is expanding your infrastructure to include cloud computing or when the information technology stack that your company uses undergoes a change. Another example where a consultant makes sense is when your company develops a need for technical skills that do not exist in your team.
Entry level cyber security professionals are especially helpful to deploy security solutions for your desktops and laptops. They are also strong candidates to develop a patching program for your applications and operating systems, or to develop reporting to gauge your cyber security program’s effectiveness. Entry level cyber security consultants can also manage a monthly email phishing campaign to improve your company’s cyber security awareness training program.
Mid level consultants will bring more specialized expertise to the table. Skills such as penetration testing, firewall configuration, and information security architecture, come into play. Mid level consultants may also have an expertise in a particular application or security system such as Azure365 or Splunk or Microsoft Active Directory. Depending on the demand for and rarity of a certain skill set, the cost for these consultants can vary widely.
CISO (Chief Information Security Officer) level consultants bring leadership experience and soft skills to an organization. They will help an organization manage their cyber security risk relative to other risks that the organization faces. A CISO can help influence the culture of an organization to adopt better cyber security behaviors. A CISO consultant needs to be vendor and technology agnostic in order to do their job properly.
There are many, many companies that claim to offer part-time CISO (or “virtual CISO”, sometimes shortened to vCISO) services. For most of these vCISOs, the company they work for sells cyber security products. These are not CISO consultants. These are pre-sales engineers pretending to be CISO consultants. Beware the business model that your cyber security consulting company has.
The cost of cyber security consultants is almost always higher on an hourly basis than having an employee performing the same work. That being said, consultants bring a number of advantages and some disadvantages relative to an employee.
On the plus side, a consultant will have more breadth of experience in different companies and industries than an employee will. They will also bring more experience with handling technology transitions. Employees often need to focus on “keeping the lights on”, whereas consultants are more adept in handling change.
As potential negatives, consultants need to come up to speed on your organization’s technology and culture. They may not understand the history of projects that have worked well and those that have fallen short in the past. Consultants do not have the same incentive an employee does to adapt their work style to your organization’s work style. Consultants have an expectation that they will move on to other challenges at other companies in the future, whereas employees do not.
When choosing a consultant, most companies quickly determine the technical skill set they need. For some projects, this is a reasonable approach. For most projects, this is only a small piece of what should be considered. The cultural fit of a consultant with your organization’s existing teams will make or break the success of a given engagement.
Knowing the cultural norms of a company, an industry and of a country are all pivotal to a successful consulting engagement. I have personally witnessed consultants do a stellar job in the United States but struggle in Japan.
The ability for a consultant to be flexible to the changing needs of a project or the changing threat landscape that they are defending against is critical. When a change in company leadership occurs, the goals of a given consulting engagement may change. When a change in the top security threats of a company occurs, the goals of the consultant must change with them. So be it. A strong consultant is able to adapt to these changes and still deliver value to your organization.
BRYCE AUSTIN, CEO, TCE Strategy
Cyber Security Expert, Best Selling Author
Bryce Austin started his technology career on a Commodore 64 computer and a cassette tape drive. Today he is a leading voice on technology and cyber security. Bryce holds a CISM certification and is an internationally recognized professional speaker.
With over 20 years as a technology leader, Bryce advises the boards of companies in a diverse array of industries. He is the named CISO for many companies, including one in the S&P 500.
Bryce’s best-selling book is titled Secure Enough? 20 Questions on Cybersecurity for Business Owners and Executives.
In his free time, Bryce is a high-speed auto racer and coach. He has driven cars from a 65 horsepower Mini Cooper to a 650 horsepower Porsche 911 Turbo. He has had over 100 students, none of whom have died while under his instruction.