When you need a cyber security assessment, the company that you choose to do the work matters.
It matters because you don’t just want a provider who’s going to deploy some tools that will create a report. You need to choose a company that has expertise in interpreting the results so that your next step can be planning a course of action to close the gaps that are uncovered.
How do you know if the cyber security vendors you’re considering will give you that kind of comprehensive assessment? Use the following 10 questions in your evaluation and the best choice will emerge.
- Will the provider speak to your specific goals?
- What experience does the company have with your industry?
- Does the company have experience with regulatory compliance?
- Are there any 3rd party certifications verifying their expertise?
- What’s involved with the assessment?
- Will the cyber security assessment disrupt operations?
- What’s the report going to look like?
- How much does a cyber security assessment cost?
- Will the provider remediate a cyber attack if they find one in progress?
- Does the company also provide outsourced cyber security services?
Now let’s go into detail with each question.
How to Evaluate Cyber Security Assessment Companies
1. Will the provider speak to your specific goals?
There’s at least one reason why you think you need a cyber security assessment, and you need to make sure that the provider you’re choosing is going to meet your ultimate goal(s).
Is your goal to qualify for cyber insurance? Perhaps you must meet regulatory compliance requirements or show that you’re accountable for the safety of your customers’ data. Maybe you just want to get peace of mind about security.
Whatever it is, the provider shouldn’t brush off your specific goals but assure you that you’ll get what you’re after.
2. What experience does the company have with your industry?
One way that you can gain confidence that the cyber security assessment provider you choose is going to meet your goals is if they routinely work with companies like yours.
If they’re familiar with your industry they’ll have an idea of how information flows in and out of your operations. They’ll know where to look for common missteps or issues, and they’re more likely to be familiar with the frameworks (like NIST or ISO) that are used in your industry.
3. Does the company have experience with regulatory compliance?
Along with industry familiarity should come experience with compliance, if applicable. Whether it’s HIPAA, ITAR, SOX, or CMMC, you’ll want to know that they understand that any assessment and recommendations they provide will help you along your path to attaining or retaining successful compliance.
Even if you don’t have compliance needs, knowing that the assessment provider has experience in interpreting regulatory compliance into security controls is a sign of cyber security maturity and expertise.
4. Are there any 3rd party certifications verifying their expertise?
Ask if the assessment company or their staff hold certifications specific to cyber security.
There are some cyber security certifications that go hand in hand with regulatory compliance. For example, a Registered Provider Organization (RPO) designation is a signal that the company is experienced in Cybersecurity Maturity Model Certification (CMMC) . And a Registered Practitioner (RP) is a CMMC certification for an individual.
Additionally, employees holding technology-specific certifications from companies like Microsoft, Cisco, VMware, and WatchGuard are also signs of cyber security expertise.
🔎 Related: 5 Ways Consulting with a Registered Practitioner Can Help You Become CMMC Compliant
5. What’s involved with the assessment?
Your specific goals for needing a cyber security assessment will drive the activities that are involved. For example, reviewing your security policies should be a part of a compliance assessment or CMMC gap analysis.
Even if you don’t need to discuss security policies, you should expect interviews to be conducted with both IT and regular staff to determine how data is accessed.
Some of the tactics the assessment provider may use include vulnerability assessments, penetration scans, phishing simulations, data backup testing, and physical security reviews.
6. Will the cyber security assessment disrupt operations?
A cyber assessment shouldn’t take down operations or disturb your employees’ daily work (unless they find that there’s a cyber attack in progress – see below). You will, however, need someone who can carve out time in their routine schedule to be the main point of contact.
Your IT manager may be that person (if you have one on staff). If so, they’ll also need to be available to answer questions and provide the assessment team with access to other staff members for interviews, as well as access to your IT systems.
7. What’s the cyber security assessment report going to look like?
The report you get in conjunction with a cyber security assessment should reflect your unique goals and answer the questions you set out to answer. It shouldn't all be tech-speak that you can’t understand.
You also want to know how far the report will go to give you prioritized recommendations. If the report that you get goes no further than giving you go/no-go status and your security layers, make sure that your own team has the background to take it from there.
🔎 Related: What Will a Cyber Security Assessment Report Show? 10 Common Findings & Recommendations
8. How much does a cyber security assessment cost?
The cost of your cyber assessment will depend on, you guessed it, your goals.
Your goals feed the inputs and the outputs of your cyber security assessment. The more involved and the further the assessment goes to providing next steps, the more value you’ll be getting.
When you’re comparing different providers, make sure that it’s an apples-to-apples evaluation -- or what looks like a deal, may not get you where you want to go. In any case, expect cyber security assessment prices to start around $3,500 and go up from there.
9. Will the provider remediate a cyber attack if they find one in progress?
It’s very possible that when the cyber security assessment company has their tools deployed and start collecting data they’ll discover that there’s a cyber attack in progress. (Yes -- we've seen it firsthand!)
No doubt the assessment provider will to let you know about it and may have the capability to shut it down if you want them to. After all, if your current team didn’t detect the attack, do you really want to hand response back to them? Probably not.
If this happens, don’t expect these actions to be included in the assessment fee but thank your lucky stars that the intruder was detected and stopped.
10. Does the company also provide outsourced cyber security services?
The results of your cyber security assessment may reveal gaping holes in your security and you’ll need to ramp up your cyber defenses very quickly.
If the company that conducts the assessment can also provide outsourced cyber security services then they’ve essentially completed a portion of their onboarding through the thorough discovery that took place with the assessment.
The last thing you want to do at this stage is start another vetting process, so set yourself up for a possible transition to outsourced cyber security services when you’re picking out an assessment provider.
🔎 Related: 17 Foundational Cyber Security Measures Businesses Need
When’s the Right Time for a Cyber Security Assessment?
As mentioned at the beginning of this article, you could be experiencing pressure to get an assessment because you need to qualify for cyber insurance, attain regulatory compliance or prove that you’re accountable for security to your customers.
But really, any time you don’t know where you stand in your defense against cyber intruders is the right time to get a cyber security assessment.
Cyber Security Assessments for Southern California Companies
Here at VC3, we’re experienced at planning and conducting cyber security assessments and providing outsourced managed security for companies in industries with the most stringent security standards.
Our classification as a Managed Security Services Provider (MSSP) and CMMC Registered Provider Organization (RPO) are just two signs of our expertise. The security professionals we have on staff have degrees in cyber security and hold relevant security certifications .
Wondering about the strength of your security posture? Let’s talk about your cyber assessment goals.