Motivations for the assessment and impact on vendor selection

To book a successful security consulting engagement, you must first understand your motivation. There are a wide range of reasons to contract with a security consultancy. Yours will have outsized downstream considerations for vendor selection. Some of the most common drivers are:

Risk reduction

The most proactive motivation for an assessment is pure risk reduction. This is where an organization voluntarily commissions a security assessment in order to holistically improve their security. They can use the assessment to find gaps in security architecture, implementation and program to prioritize for remediation and investment.

Considerations:

This motivation allows for the most flexibility in vendor selection, as it is entirely for the benefit of organizational security. There are two considerations that also apply to all other cases. First, when interviewing possible vendors, focus on their collaboration model and the experience of working with them. Second, focus on their ability to map their assessment to concrete, contextual business risk.

Compliance

Many compliance schemes either suggest or mandate a third-party security assessment. Some examples include PCI DSS (Requirement 11.3.4.1), FedRAMP, FINRA, NCUA, SOC2, and HITRUST.

Considerations

When procuring an assessment due to compliance, you must ensure that the vendor you’re working with carries any certification required by the scheme (like PCI Approved Scanning Vendor) or otherwise meets the certification requirement. Additionally, it is worth weighing the benefits of finding a stronger assessor who will provide a more critical assessment, versus a vendor that performs a less substantial assessment, offering an easy path to meet the compliance requirement. You should balance this consideration with your overall security program and other assessment activities. Finally, when contracting for compliance, you may find value in working with your auditor to identify a vendor who has a good reputation with them.

Sales

Companies, especially in the Business-to-Business space, hit a size at which certain customers will require a vendor security review as part of procurement. ³ These reviews vary, but standard forms such as Shared Assessments’ SIG Questionnaire or the Cloud Security Alliance’s Consensus Assessment Initiative Questionnaire are available.

Evidence of an external assessment is a frequent requirement for these reviews. The CAIQ AAC-02, for example, specifies that “independent reviews and assessments shall be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligations.”

Considerations

Often, a security assessment can serve multiple agendas. If your organization has heard customer demand for evidence of such an assessment, this should influence your vendor selection. For very large clients, you may hear implicitly or explicitly of one or more preferred vendor(s). Depending on the size of the deal, it can be worthwhile to bow to these preferences, especially if the client has recommended a vendor you otherwise consider. It is also worth potentially paying the premium to conduct your assessment with a more notable “brand name” firm. Name recognition can engender client confidence in the assessment. Finally, be sure to understand the deliverables your vendor offers, to keep the proper artifacts as sales collateral. This may be a letter of engagements, attestation of the assessment, and executive or engagement summaries.

Investment or M&A

Security assessments can occur pre- or post-deal in a merger, acquisition, or investment. They can be used as due diligence before a deal, or afterward, to baseline security program planning. The assessment may be an explicit deal contingency, or used to understand the potential risk and resultant costs associated with the deal. ⁴

Internal attestation

Third-party assessments are internal political fuel. They can provide an objective view of gaps, highlight problems the security team is hoping to communicate upwards, or capture progress to qualify return on investment.

Considerations:

To roadshow an assessment internally, you should consider your audience. One tack could be focusing during procurement on the report’s business-friendliness, such as the quality of the executive summary. It also can be beneficial to favor any executive preference or pre-existing relationship, and to account for vendor name-recognition.

Post-breach

Following a breach, more than just incident response is called for. In the long term, it is often wise to commission an external assessment to confirm that remediation and hardening activities were effective. It also can re-engender internal trust, in line with Internal attestation above.

Considerations:

Though the assessment is not itself incident response, there is value in working with a vendor with experience in incidents. This could be your response partner, or another vendor who can directly leverage the outcomes of the response. Additionally, it is helpful to select a partner who has the ability to support longer-term advisory work. Finally, consider working with internal or external legal counsel to commission the engagement. That way you may be able to conduct it under privilege⁵ .