Top 10 Technology Travel Tips – When people traveling, especially internationally, not only is technology at risk but also sensitive personal and work information. Below are 10 tips taken from Janco’s Travel, Electronic, and Off-Site Meeting Policy.
If it’s not necessary, don’t travel with a computer or tablet.
Whenever possible, arrange to use loaner laptops and handheld devices while traveling.
If you are bringing a laptop with you, make sure you have the proper plug adapter.
Install a host-based firewall, and configure it to deny all inbound connections.
Disable file, printer sharing, and Bluetooth. Apply full disk encryption, picking a long, complex password
Update all software immediately before travel.
Always clear out browser cache before you leave.
Backup your computer
If you are bringing private data, not on a computer, copy the data onto an encrypted USB memory device
Change the password for your accounts email, Gmail, Facebook, etc.
Utilize complex passwords – Assume the workstation or medium will be lost or stolen.
Memorize the password, or keep it in a secure location on your person.
Password protect the login, and require the password after screen-saver.
Password Requirements and Management Issues Password Requirements and Management Issues The passwords should not be reused across many accounts, but should preferably be unique to each account. (single-sign-on services & password...
Top 10 Worst Passwords Top 10 Worst Passwords Users have continued to use the same worst passwords to access secure systems for several years Top 10 worst passwords –...
Wearable Device Security Concerns Wearable Device Security Concerns Wearable Device Security – Over 300,000,000 wearable devices are going to be deployed in the next several years Wearable Device Security –...
SEnuke an adventure into poor service management. We have just spent a week of our lives working to get SEnuke – an SEO google search tool to work and have been frustrated beyond belief.
They came out with a new version that looked like the best thing since sliced bread. Here are the problems that we encountered.
Day 1 when when they launched the site was “down” in that you could not download the program. The page said try back in 30 minutes. It took a full day to get the download to work.
When it installed, it did not uninstall the older version but left traces of it on so that “mysteriously” over the next week at times the older version executed confusing the heck out of me.
The marketing material said that Captcha was included – however the SEnuke Captcha did not work for the better part of a week so that I had to purchase a service for that.
When tried purchasing Captcha, all of the listed companies did not work. Links were to sites that were disable or not there. In addition each of the sites had their own userids and passwords. By the time that I was done shopping I have over 7 sets of them.
The application was to create links and URLs. It did not do that. The help, which was via a blog forum, after two days told me I had to get the update.
I got the update. However, it could not be installed because it was classified as an UNSAFE publisher. The certificate they had from GODADDY.com had been REVOKED.
When I posted on the SEnuke forum the response I got was that I had to put an exclusion in my Norton. I had already done that and even turned off Norton, but it still did not install.
I posted that we would PAY for support to get it to work. No response from them.
Considering they want close to $150 a month for their product it is not worth it. Finally after almost a week of effort I cancelled the service and created this review of the product.
10 steps to implement cloud SaaS – As more CIO and other C-Level executives look have Software as a Service (SaaS) for interaction with their users, customers, suppliers, and markets there are some best practices that they should follow.
Evaluate the current capabilities of their IT infrastructure and application portfolio. Included in that an assessment of the competition and the state of opposing competitive solutions.
Develop a roadmap with priorities for SaaS/cloud deployment. Establish who the drivers and owners of the SaaS process are.
Establish clear governance that considers key stakeholders for cloud deployments. Include budgetary responsibility as well as for achieving stated goals.
Develop metrics for performance and for measuring success in meeting cost and other deployment goals. Include a process for dissemination of the results in a timely manner
Adopt vendor management practices to monitor SLA performance and define responsibilities.
Provide active project management to keep implementation on time and on budget. Steering committees and SDM (System Development Methodology) need to be included in the mix.
Plan for ongoing support, acquiring or training resources for the necessary skills, and address skills gaps. Budgets and associates service levels need to be defined before the SaaS development begins.
Regularly evaluate performance and goals/metrics to ensure they are being met. Utilize every form of communication possible so the enterprise as a whole knows what the state of the SaaS activity is.
Audit compliance with security and other standards and practices and privacy policies. Build compliance into the SaaS process.
Ask suppliers to provide specific data and experience with cloud-to-cloud integration and performance.
To stop a breach tomorrow, what does the enterprise need to differently today?
Does the enterprise know if the company has been breached? How does it know?
What assets are being protecting, what are they being protected from (i.e., theft, destruction, compromise), and who are they being protected them from (i.e. cybercriminals or insiders)?
What risks does the enterprise face if it is breached (i.e., financial loss, reputation, regulatory fines, loss of competitive advantage)?
Does the enterprise’s IT security implementation match the enterprise’s business-centric security policies?
Are formal written policies, technical controls or both in place? Are they being followed?
What is the enterprise’s security strategy for IoT?
What is the enterprise’s security strategy for BYOD and “anywhere, anytime, any device” mobility?
Does the enterprise have an incident response plan in place?
What is the enterprise’s remediation process? Can the enterprise recover lost data and prevent a similar attack from happening again?
Security Compliance – Comprehensive, Detailed and Customizable for Your Business
The Security Compliance Policy and Audit Program bundle provides all the essential sections of a complete security manual and walks you through the creation of each step. Detailed language addressing more than a dozen security topics is included in 220 plus page Microsoft Word document, which you can modify as much or as little as you need to fit your business requirements. The template includes sections on critical topics like:
Risk analysis – Threat and Vulnerability Assessment via Electronic Forms
Define SLA roles and responsibilities for the enterprise and cloud providers. These definitions should include,the persons responsible for oversight of the contract, audit, performance management, maintenance, and security.
Define key terms. Include definitions for dates and performance. Define the performance measures of the cloud service, including who is responsible for measuring performance. These measures would include: the availability of the cloud service; the number of users that can access the cloud at any given time; and the response time for processing a customer transaction.
Define specific identifiable metrics for performance by the cloud provider. Include who is responsible for measuring performance. Examples of such measures would include:
Level of service (e.g., service availability—duration the service is to be available to the enterprise).
Capacity and capability of cloud service (e.g., maximum number of users that can access the cloud at one time and ability of provider to expand services to more users).
Response time (e.g., how quickly cloud service provider systems process a transaction entered by the customer, response time for responding to service outages).
Specify how and when the enterprise has access to its own data and networks. This includes how data and networks are to be managed and maintained throughout the duration of the SLA and transitioned back to the enterprise in case of exit/termination of service.
Specify specific SLA infrastructure and requirements methodology:
How the cloud service provider will monitor performance and report results to the enterprise.
When and how the enterprise, via an audit, is to confirm performance of the cloud service provider.
Provide for disaster recovery and continuity of operations planning and testing. Include how and when the cloud service provider is to report such failures and outages to the enterprise. In addition, how the provider will re-mediate such situations and mitigate the risks of such problems from recurring.
Describe any applicable exception criteria when the cloud provider’s performance measures do not apply (e.g., during scheduled maintenance or updates).
Specify metrics the cloud provider must meet in order to show it is meeting the enterprise’s security performance requirements for protecting data (e.g., clearly define who has access to the data and the protections in place to protect the enterprises’s data). Specify the security performance requirements that the service provider is to meet. This would include describing security performance metrics for protecting data, such as data reliability, data preservation, and data privacy. Clearly define the access rights of the cloud service provider and the enterprise as well as their respective responsibilities for securing the data, applications, and processes to meet all mandated requirements. Describe what would constitute a breach of security and how and when the service provider is to notify the enterprise when the requirements are not being met.
Specify performance requirements and attributes defining how and when the cloud service provider is to notify the enterprise when security requirements are not being met (e.g., when there is a data breach).
Specify a range of enforceable consequences, such as penalties, for non-compliance with SLA performance measures. Identify how such enforcement mechanisms would be imposed or exercised by the enterprise.
Documentation is a key part of security compliance — here’s how to do it right
Documentation Security Compliance – Maintaining security compliance is a multifaceted responsibility. It’s not enough to simply implement the required controls and enforce security policies. In order to remain fully compliant, businesses must thoroughly document their compliance efforts as well. Maintaining formal, written documentation of all compliance-related activities is a requirement of many regulatory guidelines, but all too often, it’s treated as an afterthought.
In many cases, compliance documentation is inadequate due to varying responsibilities. In many organizations, compliance efforts spread across departments and different individuals are responsible for various aspects of the security plan. As a result, documentation tends to be inconsistent at best, with varying standards and levels of detail. Unfortunately, such an approach to compliance can land your company in hot water should it ever be selected for a compliance audit.
Specific security compliance documentation standards vary by regulation (HIPAA has different requirements than PCI DSS, for instance) but there are some general best practices that you can follow to ensure that your compliance documentation is up-to-date and meets the requirements put forth for your organization.
Select the Right Manager
Even with a dedicated compliance department, many companies struggle with documentation. Regulatory requirements tend to be highly technical, and require writers with the technical expertise to develop them thoroughly and accurately. When the wrong individuals are tasked with creating compliance documentation, there is the potential for errors and omissions. If professional technical communicators are unavailable, establish specific standards for the creation of documentation for staff to follow, or consider outsourcing the project.
Understand the Requirements
The first step to managing compliance documentation is understanding what is required of your company and developing a consistent means of recording the necessary information. In general, this means:
Describing the specific requirement and how it relates to your business
Outlining the specific controls in place to meet that requirement
Listing the name and contact information for the person in charge of implementing the control
Designating the date that the control/documentation needs to be reviewed and/or updated
Many organizations implement a content management system specifically for the purpose of maintaining security compliance documentation. Doing so allows for information to be accessed and updated online in real time, without relying on paper copies. An efficient CMS allows for additional information to be imported as well; for instance, when you invest in a Cisco video conference system from KBZ, the information from training sessions completed by employees can be seamlessly added to the CMS, keeping records up-to-date.
Conduct Regular Audits
Compliance documentation is an ongoing process, and IT needs to schedule annual documentation reviews as part of their compliance activities. Ideally, reviews should not be conducted by those who have responsibility for specific security controls, but by other individuals who have knowledge of the controls and can identify gaps or other potential issues that need to be addressed when necessary. The annual documentation review should be focused on identifying required changes, as well as comparing the existing documentation to current regulations to ensure full compliance.
The best time to conduct documentation audits is in conjunction with your scheduled risk assessments. Most security regulations require regular risk assessments, with controls put in place in relation to the results of the assessment. Including a documentation review as a part of that process allows you to identify areas that need improvement or change, as well as activities that need to be added to your security controls.
Focus on the User
Finally, the most effective compliance documentation is user-focused, both in terms of employees who may need to access the information and regulators who will be auditing your efforts. While a focus on the technical aspects of the documentation is necessary, you also want to ensure that the documentation is usable. This means keeping it user-focused, easily accessible, and accurate. Nothing is more frustrating than attempting to find documentation that is hopelessly out-of-date or incorrect, so being user-friendly means committing to maintaining the most current documentation possible.
Failing to correctly maintain your security compliance documentation puts your company at risk for failing an audit, which could result in costly fines and other sanctions. A scattershot and disorganized approach to documenting your efforts is not adequate for anyone’s needs, and could leave your company vulnerable to security breaches in addition to regulatory infractions. By taking the time to develop a comprehensive and thorough approach to compliance documentation, you’ll save time and money in the long run.
10 Compliance Best Practices 10 Corporate Compliance Best Practices Compliance is a major issue that organizations of all sizes need to address. In the information technology field they range...
ISO 31000 Compliance – Risk Management ISO 31000 Compliance – Risk Management Cloud processing and outsourcing add external risks to a business’ operation. The International Standards Organization (ISO) has implemented a...
Technology Application Trends – 2010 – 2015 was the true start of the digital technology revolution that fundamentally altered the way we live, work, and relate to one another. In its scale, scope, and complexity, this transformation was unlike anything we have experienced before.
Everything was affected – politics, media, social interactions, commerce and technology itself.
Often described as the 4th Industrial Revolution, this period of digitalization continues to intensify characterized by a fusion of technologies which are blurring the lines between the physical and digital spheres for the 21st Century Enterprise. The 4th Industrial Revolution is causing widespread disruption in almost every industry across the globe, with enormous change in the skill sets required to master this new landscape. We have tailored this year’s program to explore the exponential speed of current breakthroughs (which has no historical precedent), with the breadth and depth of these changes unleashing entire new systems of production, management, governance, and Information Technology.
As digital business now moves into the next phase, autonomous and algorithmic investments will be required to improve operational efficiencies, drive down costs to run IT, and deliver the self-funded returns necessary for additional innovation and business value creation.
We do not yet know precisely how the 4th Industrial Revolution will unfold, but one thing is clear: our response to it must be comprehensive and integrated, involving all global IT ecosystem stakeholders at the intersection of the public and private sectors, and within academia and civil society.
2016 Internet and IT Position Description HandiGuide Released
There are now 273 IT Job Descriptions available that that have been updated to meet the latest compliance and new technology requirements. The HandiGuide can be acquired in MS WORD and / or PDF format. In addition we provide the option to get updates and free custom job descriptions.
Cloud Technology Impacts Outsourcing Cloud Technology Impacts Outsourcing What makes cloud computing different from this “ordinary” system of computing is that the cloud functions as a collective computer that...
Traditional ERP projects increase costs, take a long time to implement, and require larger and more specialized IT professionals
Top 10 benefits Cloud ERP — With the emergence of a secure clouds, moving to a new ERP solution is not as high-risk an event as it once was. There are some critical benefits that make a cloud based ERP a solution that should be looked at:
Vendor packages are available that create an architecture that is easily customized, modified and maintained.
Metrics can be defined up front which can be the road map for communication of the benefits and costs of the ERP solution.
The staffing requirements for scores of ERP specialists is significantly reduced and there is less risk that staff attrition could cause a delay in the implementation and deployment processes.
A cloud based solution eliminates the need for most of the on-site data center resources and is more cost effective (typically at least 30% less expensive than on-premise)
There is much less of a requirement to “re-invent” the wheel and much less of likelihood that the ERP efforts will go down a non-productive path.
Development and and implement cycles are reduced. As a result deployment is quicker, value of the precised benefits are received more quickly, and the organization faces significantly less risk.
With the cloud the ERP is more easily sized for both features and number of users supported and costs can be aligned with company’s ROI objectives.
Business continuity objectives are more easily managed as part of the core design of the ERP.
New technologies and equipment is more easily supported as a well managed vendor based solution provides the ability for the vendor to support new technologies and devices as they hit the market.
Better security and operations than companies can otherwise afford (monitoring and meeting the SLA requirements for response time, continuous backups, redundancy, SSAE 16, PCI certifications, etc.).
Data is the lifeblood of every company, and often, it is a competitive advantage and the only thing that differentiates one enterprise from another. Who has the most loyal customers, the best service, and the most innovative strategies all boils down to information residing on the enterprise’s Information Technology and application systems. For this reason disaster recovery and business continuity are a definite need. In addition, there are security requirements that need to be met. With mandated requirements like Sarbanes-Oxley, HIPAA, PCI-DSS, and ITIL, executive management is depending on you to have the right security policies and procedures in place.
Disaster Recovery Business Continuity with Security
Google has addressed this and describes it in a video that is has placed on youtube.
World Class Organizations mobility a standard feature in IT applications
World Class Organizations mobility – CIOs are incorporating mobility into their IT applications and business operational solutions. All of the recent major advances in technology have moved mobility into the mainstream. In addition, they are building on the average user’s mobile-device comfort level that exists due to smartphones.
The primary driver for this mobile-ready technology is simple: world class application solutions more easily meet evolving industry needs, and are accessible to broad range of top managers in a manner that matches the work styles – and even the personal lives – of the internal and external users who depend on them.
Business professionals typically carry one or more devices with them at all times. Over 85% of IT functions have moved out of the denial stage regarding the “bring-your-own-device” (BYOD) movement and are successfully managing the operational complexity created by employee-owned, multi-platform mobile devices connected to their networks.
In a recent Janco Associates survey of c-level executives – including CEOs, CFOs, and CIOs:
36% of respondents said that they currently access their organization’s core operational and financial data, via smartphone or mobile device.
Only 23% of the c-level executives interviewed describe themselves as technology “early adopters” or “techno-centric.”
C-level executives and top managers are no longer tied to their desks, and while they are on the move, the information that they need moves with them. In previous generations of technology “mobility” and “productivity” were at cross-purposes, the latest generation of IT applications and business operational solutions has paired the two successfully, providing increased access to information that improves efficiency. In sum, c-level executives and top managers no longer have to be techno-centric in order to leverage world class IT applications and business operational across the enterprise.
In the case of mobile IT applications and business operational functionality, CIOs need to understand the business processes, and relate with other c-level executives and top manages, and understanding how mobile access of information changes the way the enterprise operates.
For instance, a mobile IT applications and business operational solution, allows managers to approve workflows on the go – something that would otherwise have to wait until the manager is back in the office.
In the world of mobile business management, production and operations managers have instant access to information about potential problems, and these managers can even authorize changes to expedite specific work orders or deliveries. Since this data is linked to the enterprise’s other applications, the cost ramifications of real-time changes will become immediately apparent to business and finance leadership as well.
Bring Your Own Device Policy updated to to meet Disaster Recovery, Business Continuity and Corporate Intellectual Property Requirements
Stages of a cyber attack’s life cycle need to be understood so that CIO’s can create an effective defense strategy. Malicious cyber attacks continue to threaten sensitive data — whether it is personal data or company sensitive data — one fact remains: attackers will continue to exploit weakness to infiltrate systems and extract data that they can turn into money. The life cycle of attacks is as follows.
Identify and define potential attack vectors
The first step attackers usually take is to identify members of staff within the organization and the best attack vectors to utilize. This is done by scanning the organization’s public facing websites and gathering as much information about the sites as possible, while simultaneously performing scans against the internal networks.
Using several identified attack vectors, hackers attempt to gain access to an organization’s network. Using different IP addresses and a significant number of computers, the hackers will kick off an automated dictionary attack and after only a few short days malware is installed on the victim’s computer.
Command and control
With the malware in place, the attackers can now begin an in-depth recon against the internal network. The attackers will attempt to escalate privileges on the victim’s account, and create new user accounts with administrative and privileged access.
Discover and spread
With access to the network, the hackers begin to spread it across the organization’s entire network. With a significant presence within the network allowing them to wait, while making detailed asset maps, noting employee patterns and any other information that can assist them in their long term goal: data theft.
Extract and ex-filtrate
Attacks siphon data out of their target company’s environment. They will do this by moving the targeted data to a remote server. After several weeks or possibly even months of siphoning data, the attackers can end their campaign. However, before exiting, they will ensure that they make several network modifications to enable them to return at anytime in the future.
Discovery and clean up
When the organization finally discovers the compromise, typically more than 200 days to detect a breach, stopping the attack begins.
KPI Metrics are a top priority of C-Level executive
KPI Metrics are best tools CIOs can use against the biggest challenges they have to justify staffing and spending levels as they strive to improve IT efficiency. When assessing comparative benchmarks, it is hard to know which metrics to start with. The Metrics for the Internet, Information Technology and Service Management HandiGuide helps CIOs to understand and pick the appropriate comparative benchmarks to justify staffing and spending, improving IT operations and demonstrating the value of IT to the business.
Janco release Version 5 of its KPI Metrics HandiGuide
The Metrics for Internet, IT, and Service Management HandiGuide includes a reporting framework that is easily implemented. It defines a specific process that can be followed and has a road-map for a KPI metrics report that covers all of the areas that the IT function interacts with including: finance, staffing, infrastructure, productivity, system development, quality assurance, help (service) function, operations, communication and a number of industry specific KPI metrics.
The price of Metrics HandiGuide is based on the core document and whether the user selects specific supporting materials and 12 or 24 months of update service:
Metrics IT Service Level Management and IT Cost Control – Platinum Edition
Metrics HandiGuide is over 300 pages, defines 540 objective metrics, and contains 83 Metric reports that show over 220 objective metrics. An Adobe PDF document with electronic bookmarks. ITIL and ISO 20000 Compliant.
IT Service Management Policy Template (Word) is an 126 page document that contains standards, policies and procedures, metrics and service level agreement for the help desk, change control, service requests, blog / personal web site, and travel and off-site meetings. It also contains a Change Request Form, Business and IT Impact Questionnaire, and an Internet Use Approval Form.
Service Level Agreement Policy Template (Word/PDF) defines a three tier environment and specific SLAs metrics that are both internally and externally focused. The sample contain over 70 metrics presented graphically in PDF format.
Metrics, Service Level Agreement (SLA) and Outsourcing Job Description Bundle includes 12 full job descriptions in WORD and PDF formats. They are: VP Administration; VP Strategy and Architecture; Director IT Management and Control; Manager Contracts and Pricing; Manager Controller; Manager Metrics; Manager Outsourcing; Manager Service Level Reporting; Metrics Measurement Analyst; Quality Measurement Analyst; System Administrator Unix; and System Administrator Windows.
Internet and IT Job Descriptions as individual files in Word formats. Long file names have been used to make customization easier.
Latest IT Salary Survey for 73 positions in all major metro areas in the US and Canada.
Cloud Technology Impacts Outsourcing Cloud Technology Impacts Outsourcing What makes cloud computing different from this “ordinary” system of computing is that the cloud functions as a collective computer that...
Best Practices Ransomware – Ransomware is a class of malware that holds a computer or data “hostage” until the user pays a particular amount or abides by specific instructions. The ransomware restricts access to the data and the system. Some cases of ransomware also repeatedly show messages that tell users they must pay the “ransom” or perform a particular action. There are some ransomware variants that encrypt files found on the system’s hard drive. Users must pay the ransom in order to decrypt the data that was altered by the ransomware.
Cybercriminals behind this threat made use of online payment methods as a way for users to pay the ransom.
Have remote backups of your data that is not “mapped” to your computers and network.
Show hidden file extensions. One way that Cryptolocker frequently arrives is in a file that is named with the extension “.PDF.EXE”, counting on Window’s default behavior of hiding known file-extensions. In order to mitigate this re-enable the ability to see the full file-extension, it can be easier to spot suspicious files.
Have your email server filter out all files that are executables. If there is a need to exchange executable files within your environment and are denying emails with “.EXE” files, you can do so with ZIP files (password-protected) or via cloud services.
Disable files running from AppData/LocalAppData folders. One of the way that ransomware works is to place an executable within those Wndows folders and then launch the programs. By disabling those files you eliminate a major weakness in your operating environment.
Disable Remote Desktop Protocol (RDP) which allows others to access your desktop remotely. If you do not require the use of RDP, you can disable RDP to protect your environment.
Keep your software current by applying patches and updates in a timely manner. Malware authors frequently rely on people running outdated software with known vulnerabilities, which they can exploit to silently get onto your system. It can significantly decrease the potential for ransomware-pain if you make a practice of updating your software often.
Utilize a security suite that has large user base and is updated frequently.
If you run WiFi in your environment, ,make sure that all of the routers in the network are secure, utilize strong passwords and change their passwords at least quarterly. If you do have a ransomware attack turn your WiFi off immediately.
Provide in-depth training to all users who have access to your environment on what they can and cannot do such as accept files that are suspicious or from unknown users.
Stay current with all breaches and ransomware attacks that are reported and adjust your operating environment to address exposures that others have faced.
Why You Need a Security Consultant — and What to Look For
Security Consultant – For years now, security experts have warned small businesses: You are a target for cybercriminals. While the news media focuses on the major security breaches affecting millions of individuals, what’s often overlooked is that smaller businesses are not only victims of hacking more often, but that they are also often a key piece of the puzzle when investigating larger breaches.
In short, the simple fact is that small businesses are at risk for cyber-attacks, and even if you think you are too small to be of any interest to hackers, you might want to think again.
The problem for many small and micro businesses is that they simply do not have the resources to fully protect their business and their data. While it would be great to hire a full-time, dedicated cybersecurity professional (or even an IT person, in many cases) most smaller companies don’t have the money in the budget to do so.
As a result, they piecemeal security solutions together: They secure their Wi-Fi, use antivirus software, set up firewalls, etc. These are all important steps, but while they may be enough for the average home network, they represent only the beginning of the protection necessary for business.
Since most entrepreneurs aren’t well versed in the latest cyber-protection methods —and don’t necessarily have the time to learn — there is a growing number of security consultants who specialize in small businesses and designing security protocols to protect their valuable data. For a fraction of the cost of hiring a full-time employee, businesses can implement the security measures they need to keep their data safe, remain in compliance with industry security regulations, and stay ahead of emerging threats.
What Will a Security Consultant Do?
If you cannot bring a dedicated security professional onto your staff, a security consultant is the next best thing. However, it’s important to understand a few key considerations before you sign a contract.
First, it’s very important that you hire an independent consultant. Many security companies, particularly security software vendors, will offer consulting services for “free.” However, these consultants are typically employees of that software company, and the recommended solutions for your security issues are likely to be limited to the products and services offered by that company.
That’s not to say the advice isn’t relevant and valid, but you want to make sure that you are receiving the unbiased evaluations and recommendations to ensure that all of your bases are covered and that you aren’t purchasing products and services that you don’t necessarily need.
It’s also important to understand what a consultant will do for you. In most cases, the consultant will conduct a thorough risk assessment and evaluate your current security set-up to identify potential problems, and identify solutions to minimize risk. From here, consultants will either do the work themselves (or through their team) or recommend qualified vendors to implement security solutions for you.
Most security consultants work on a project basis. Some offer ongoing service and support, but most will leave the ongoing implementation up to you. These are points that you will work out in the contract, but understand that usually, your consultant is there to assist with a specific project and not to fill the role of a staff IT security professional.
What to Look for in a Consultant
Finding the right consultant involves more than just choosing someone who works independently of a specific company. Ask a few important questions, including:
What is your background? Choose a consultant with an advanced educational background, ideally with a degree in information security and experience within your industry. Some consultants have even earned the Chartered Security Professional (CYSP) designation, indicating a high level of knowledge and experience within the realm of cybersecurity.
Do you have experience within our industry? Different industries have different needs in terms of security. If you are bound by regulations such as HIPAA or PCI, does the consultant have the knowledge and experience required to incorporate those regulations into your security plan?
Who will perform the necessary work? If you are working with a consultant who will implement your security upgrades, be sure to determine who will be actually doing the work. In some cases, the experienced principal of the firm conducts the analysis and makes recommendations, and then sends less-experienced individuals to conduct the work. Know who you will be working with and their qualifications from the start.
Of course, cost is always a factor, but as with anything, the least expensive option is not always the best option. Keep in mind that you will be trusting this person (or team) with your most valuable and sensitive data, and select a consultant who has both the technical and the project management skills necessary to ensure your business is fully protected.
IT Security Decision Process IT Security Decision Process The IDG Enterprise Role & Influence of the Technology Decision-Maker survey helps CIOs understand their evolving roles and influence in today’s...