 |
Why do I need an IT security audit or assessment?
The first question to ask any vendor is why you need their services. If they can't answer that, move on! We'd tell you that the exponential increase in private, confidential information transmitted and stored online has given rise to unprecedented business risks — ranging from human error to non-compliance with regulations to malicious attacks. You need an IT security assessment to help protect your organization from those risks.
|
 |
Has your firm ever done a security audit before?
This is not the time for someone to "cut their teeth." Experience counts. Ask for references. Make sure that your security auditor has done a number of audits, and check with some of the companies they've done work for to make sure that they do exceptional work.
|
 |
Aren't you the guys who sell us our IT?
Don't you want honest, objective and independent results? We thought so. IT vendors aren't usually inclined to point out their limitations. Or they'll see this as an opportunity to "up-sell" you on more product and services. Don't hate them for this. They are just doing their job. It's just not the job you need.
|
 |
Do you provide real analysis and reports that are useful
to us?
Ask for a sample report. We seen audits from our competitors chock full of trivial problems, false positives, and indecipherable code strings, all presented in a100-page report that makes your eyes glaze over. While you want a comprehensive approach, you also want to be able to focus on the highest risk and most relevant issues to your organization.
|
 |
Do you have a quality team? Do you have a team?
Some IT audit firms are actually just one (very busy) security engineer. Or they are huge multinationals who assign their most junior people to smaller projects. Ask for team bios. Check out what other companies within in your specific industry these people have done work for.
|
 |
Are you a "truly" independent security auditor?
We find that companies with products or other service to sell just cannot be objective. They have an ulterior motive whether obvious or not.
Beware the company that claims to have a separate division that only does security audits. Our guess is that those divisions role up into the same bottom line — and your bottom line should be to look elsewhere.
|
 |
Do regulators like you?
Believe or not, some security firms will actually answer "no" to this question! They think that makes them appear to be more on your side. A nice warm and fuzzy but the truth is that regulators recognize (and appreciate) security audit firms that do objective and thorough work, and that's the path to your quickest, most painless compliance approval.
|
 |
What's the price? Why is that more/less than other firms?
Watch out for pricing that seems too low or too high. Lower prices generally indicate that your provider uses only automated tools to do the work. Then someone checks off a few boxes and sends you a report. Other the other hand, exorbitant pricing can be indicative of a company allocating a huge overhead charge to your project. At the end of the day, make an investment in a trusted, security partner that takes your project seriously and helps you maintain compliance while navigating through new security challenges over the long term.
|
