Can You Tell the Difference Between an InfoSec Consultant and an InfoSec Trusted Advisor?
Information Security (InfoSec) is a constantly-changing landscape. Cyber threats are becoming more sophisticated every day. Technology solutions are exploding in number and kind. Federal and industry regulations are becoming more rigorous. It can be bewildering to know where to look and whom to trust if you are seeking to strengthen your company’s security profile. Make the wrong decision, and your company and your data could be compromised – and you could be called to account for the decisions that led to the breach.
There are many InfoSec consultants in the marketplace. There are far fewer InfoSec trusted advisors – that is, solution providers who not only offer security technology, but who engage directly with your business to offer prescriptive advice above and beyond their technology offerings. Here are three key questions to ask as you vet a potential partner to determine whether you are talking with an InfoSec consultant or an InfoSec trusted advisor.
1. Will you give me guidance on how to train my people on InfoSec compliance?
When it comes to information security, technology isn’t enough. In addition to bolstering your infrastructure, you need to ensure compliance from your people.
An InfoSec consultant will deliver a technology recommendation, but their engagement ends there. An InfoSec trusted advisor, on the other hand, will help you by pointing out the kinds of documents you need to develop to complement the InfoSec architecture, and the policies and standard operating procedures (SOPs) you should build. They will take the time to explain compliance protocols to your employees – training and retraining as necessary, raising awareness of security issues, and positively affirming best practices and secure behaviors.
2. Will you help me assess the security and compliance profile of the vendors in my supply chain?
An InfoSec trusted advisor recognizes that your company’s security and compliance is only as good as the weakest link in your entire ecosystem of applications and services. Therefore, they will perform a high-level assessment of your other vendors to see if there are security risks present.
For example, suppose your company works in the healthcare arena. An InfoSec trusted advisor will check to make sure all vendors are HIPAA-certified and that the applications and appliances that they want to bring into your environment are designed in such a way as to support HIPAA compliance regulations.
If the InfoSec trusted advisor discovers that a vendor represents a security risk to your company, they will report that back to you and encourage you to open discussions with the vendor on how to mitigate or eliminate the risk.
3. Will you tell me “No”?
It is a business maxim that “the customer is always right.” However, when it comes to security, the reality is quite different. There are times when the customer is wrong or, at the very least, misinformed. You want an InfoSec trusted advisor who will lay it on the line and tell you the hard facts if you are asking for something that would ultimately put your company at risk.
Take the case of a company who wants to “punch a hole” to enable direct communication into their most secure data layer to make it easier for their team to work. An InfoSec trusted advisor would refuse to do so, knowing that such a hole would irreparably compromise the security of the data.
That is the kind of relationship you want: one where your InfoSec trusted advisor will bend over backwards to do what you need to do and what you want to do – with the caveat that they will tell you “No” if what you want would jeopardize the integrity of the security you are trying to support.
Whom Will You Trust?
Strengthening your information security profile is about more than pinpointing the right technology. It is about engaging with a trusted InfoSec provider who will look at the security and compliance needs of your entire organization: end to end and top to bottom. With an InfoSec trusted advisor as your partner, you can have the confidence that as the security landscape continues to change, you will always know the right direction to go to reduce your risk.