Cracking Cybersecurity Consulting: How do we align on project scope?

Third article in a 12-part series on “Cracking Cybersecurity Consulting”

Once you have started considering cybersecurity consultants, it is important to make sure that they can perform the task at hand. After having gone through the budget process, your company is likely most attuned to the need that you are trying to address. You might even need to bring on certain internal subject matter experts to help describe the scope of your requirements.

After working on many projects, it’s clear that one of the most important things to do before choosing the right vendor is to make sure you are clear on the project’s focus and parameters.

Solidifying your project scope is best accomplished by understanding the true definition of what you are asking the consultant to do. For example, in consulting, we hear the phrase “penetration test” tossed around by people all the time. Penetration testing is defined by the National Institute of Standards and Technology as “…Security testing in which evaluators attempt to circumvent the security features of a system based on their understanding of the system design and implementation…to identify methods of gaining access to a system…”

This definition exemplifies how a request for true penetration testing is asking for a highly specialized, higher-risk activity. What an organization might instead be looking for is vulnerability scanning or a gap assessment, either of which give you a better idea of where your internal vulnerabilities are (instead of just trying to break into one or two of those vulnerabilities).

Sometimes the initially desired scope of a project is not broad enough to resolve your needs. This is where cybersecurity experts can be very helpful in explaining how certain projects fit into an overall information security program.

The best way to get aligned on the scope of a cybersecurity consulting project is to:

1)     Get on the phone. Trading proposals back and forth isn’t going to narrow down the scope of your project. However, sufficient phone calls can make sure that both sides are on the same page for a project’s structure and overall plan.

2)     Be clear on integral definitions. Make sure that both sides are “speaking the same language” when it comes to key words and phrases. We often find there can be different definitions of project terms that lead to unmet expectations if not communicated in advance.

3)     Explain your goals. One of the first things we ask during a scoping call is, “What is the reason you are doing this project?” Some people want to meet compliance requirements or are required by vendors to complete a project, while others are just doing it as a best practice to enhance their cybersecurity. Each goal might involve a different approach to the project, so it’s important that all parties understand the goals and objectives before entering into a project.

4)     Establish a methodology for your risk-mitigating project. Whether this is NIST or something else, understand the methodology behind the project.

5)     Be clear on the scope. The amount of work involved is often defined by the number of physical locations, number of employees, workstations, servers, etc. The more technology an expert has to wade through and the more complex your systems, the larger the project scope becomes. You must be clear on these details or else you might face the risk of going over budget when the other party is surprised by your expectations. For example, if you don’t tell them that you have five different locations, the project partner may never know to look beyond the one location mentioned in a proposal.

6)     Ask about output. Deliverables are the most important part of the project. The output you receive as a result of expert testing is the action plan your team needs in order to move forward. But if you or your team cannot interpret the report, what good was the project? I have seen some consulting companies produce a “heatmap” report that is hard to decipher. You do not want to invest organizational resources in a deliverable that lacks clarity and direction. Ensure that you are receiving a coherent, actionable report that provides a roadmap for accomplishing your goals.

Once you have had a chance to align on the project parameters with your trusted third party, you are almost ready to sign the client agreement and establish a project schedule. But when do you need a second opinion? When do you need to compare other vendors’ proposals for the same project? We will explore this more in our next series article, “When do you need a second opinion?” 

For more information and to discuss the consulting services that are right for your organization, contact Violet Sullivan, Esq. CIPP/US, Cyber Security Consulting Practice Manager, 760-916-4477 or email vsullivan(at)eplaceinc.com.