Many information security consulting firms offer security services and training, but it can be difficult for a client to differentiate between them, especially when lacking any background in the constantly-changing field of information security. The growing threat to computer systems and networks from outside attackers and insiders means that the need for information security services has never been higher. So what should you look for when considering which computer security company your organisation should hire?
To begin with, security services and training is an extremely wide field, and needs to be narrowed down to specific offerings. For example: what kind of services are priorities for your organisations' particular situation, and which others are "nice to have" but not immediately necessary?
In addition, what kind of training is needed by your particular staff in your particular situation? If it were possible to produce an off-the-shelf solution that would cover all situations, then someone would have marketed one by now. But in fact both information security services, and training services, need to be highly customised to the particular needs of the client. This means that your organisation will need to hire security services and training from a specialist information security company.
What should you look for when considering the offerings of competing firms? Having prioritised the computer security services your organisation requires, you should start with the following basic checks:
· Does the firm have a lot of experience in providing the given service (e.g. penetration testing, network monitoring, regular scanning, interim security management).
· What qualifications and professional memberships are held by the people who will carry out the work?
· If there is potential access to sensitive data, have the professionals involved been checked for a criminal record?
· What references can they supply from past clients for this kind of service?
Another question to ask is whether the firm is currently providing this service - the more clients it has for this service, the better. This is because the field of information security is changing so fast that skills can easily become out of date, unless there is ongoing involvement in a related project.
Training should not be viewed as an optional extra. Without appropriate training, all the security services and recommendations could be rendered useless. If a key staff member is unclear about how to proceed, or lacks the necessary information security training, then the money you have spent might well be wasted. The human aspect of computer security is often overlooked, yet it is this avenue that is responsible for a huge number of successful attacks in recent years.
In short, security services and training can offer real value to your organisation, but only if the information security consulting company is carefully selected, and only if staff training is included as part of the package.