The Questions to Ask When Hiring a Security Consultant

SMBs are vulnerable, and without an in-house team, you need to hire the necessary help. These questions will help you find the best fit for your business.

If you can’t afford an in-house IT security team, you have to look outside to find the support you need. However, if you lack IT security skills or knowledge, it can be hard to determine who’s best fit for your business’s needs and who’s not.

We asked a range of cybersecurity professionals to share the most important questions for small businesses to ask potential IT security consultants. Keep them in mind as you consider your options.

Don’t miss Part 1 and Part 2 of our Cyber Threat Intelligence series, created to help you strengthen your approach.

Are you up-to-date with cloud, IoT and mobile technologies and the latest technology advancements?

Carl Mazzanti, Co-founder and VP, CISSP, QIRR, eMazzanti Technologies

“Information technology is changing daily. Cloud services and Internet of Things (IoT) options and devices provide exciting opportunities for moving the business forward but also pose new security risks. If they don’t keep up with the latest technologies, you may end up with an inadequate solution,” suggests Mazzanti. One way to check: what certifications do their team members hold? Advanced and specialized certs suggest they’re up-to-date.

Is the team that’s conducting testing against our systems doing so from their home office? Are they full time employees of the service provider?

Dr. Wesley McGrew, Director of Cyber Operations, HORNE Cyber

“Those that do security work, especially offense-oriented testing, potentially have access to the most sensitive data within your organization, and can represent an operational security (OPSEC) risk if they are not full-time staff working from a controlled and secure facility,” explains McGrew. In our increasingly mobile world, this is a relevant question that may not be obvious to ask about.

How do you plan to layer defenses and man them with experienced technical folk?

Steve Bassi, CEO and Co-Founder, PolySwarm

“A good provider here will provide tools that automate the detection of attackers on employee’s machines and across servers. Good examples of this are tools like Carbon black, which does something very simple: if it sees an application executed that has never been seen before in the enterprise it reports it,” explains Bassi.

However, that’s just one layer of defense. Bassi suggests that a good service provider will analyze all foreign applications to see if they look malicious. (PolySwarm is working on this part of the equation.)

If the application is malicious, then what? Well, hopefully the service provider has an incident response plan and team that can execute on things like:

Block network connections from the malicious application at the perimeter (firewall)

Look for other infections through other vectors through other defensive tools (e.g. enterprise wide log searches)

Coordinate with the business in a coordinated effort to evict the attacker from the network.

Find out why you might want to plug into the PolySwarm network as a small business.

What level of security do you think I need?

John C. Ahlberg, CEO, Waident Technology Solutions

“The hope is that the consultant will say they do not know and can help with doing what is best for the client and not push complex security on anyone who does not need it,” says Ahlberg. Why? He continues, “All companies need/want different levels of security and have different needs. There is no one size fits all — ever. A finance firm who is audited by the government or 3rd party has different security needs as a local manufacturing firm.”

How can you help us from shooting ourselves in the foot?

Cody Swann, CEO, Gunner Technology

Your employees are often the greatest vulnerability in a business, especially an SMB. “A good security consultant will love getting that question and have a range of answers that vary depending on the client’s willingness to trade convenience for security,” suggests Cody.

Are you training your employees? It may be time for a security training audit.

Can we get Ransomware? If so, why or why not? If we do get ransomware, how will you get us recovered?

Oli Thordarson, CEO, Alvaka Networks

While the right answer is “Yes, we can get ransomware,” the answer you’re looking for explains “what tools and techniques they are using to protect your firm from ransomware,” suggests Thordarson. He explains that they should be telling you that they:

Filter and scan all in-coming e-mail

Use a content filtering service such as OpenDNS

Employ link reputation checking techniques

Block certain file types in e-mail attachments

Educate your user community and safe and dangerous computer use practices

And that they have a rock solid back-up and disaster recovery plan that they can both explain in great detail and demonstrate in operation.

Interested in giving your IT security the support it needs? Sign up to be the first to know when you can plug into the PolySwarm network, giving you access to cybersecurity ambassadors and a global network of security experts who compete to protect you.