What questions should I ask an information technology security consultant?

Becky -

This is an excellent question. The answer depends on what your are looking to accomplish. Let's consider the various roles that an IT security consultant can play.

At the top is someone who can assist in the creation of an overall information systems security policy and plan. They will need extensive experience in the identification of areas that are to be addressed by the policies within your organization. Areas of coverage include defining what your are protecting, from whom, and how much it is worth to you to protect it. Policies will also include who has access to what resources, from which locations, and when. All of this will then lead into the creation of the plan that implements tools to address policy decisions.

The next lower layer is a consultant that can assist with reviewing your current policies and plans, and overseeing external/internal network penetration testing as part of an overall security audit. You clearly want someone who has conducted such activities in the past and who can advise methods of remediation for issues that are identified.

Further along the continuum is the hands-on security analyst that will either work with your team or by themselves looking to implement the information systems security plan. They should have certified information systems security professional (CISSP) or other comparable certifications.

Based on what you are seeking, it is important to ask questions relevant to your environment. As a consultant myself, I can tell you what I would want to know from you and what I would include in my written proposal. Each of my proposals includes five areas: Scope of Work (SoW), Tasks, Deliverables, Timetable, and Fees. Making sure that the SoW is clearly defined and well-understood by both the client and the consultant is critical for success. "Scope creep" - where unanticipated tasks creep into a project - can lead to excessive costs and unhappiness all around. Defining the specific tasks will allow the consultant to estimate the amount of time that is expected to be invested and provide the client with an approximation of fees, depending on billing methodology. Deliverables is important because you as the client need to know if you are to expect a written policy and plan, a written summary of audit results with recommendations, and so forth. The timetable is important and most likely portions of fees will be tied to completion of various phases of the project. Lastly, it is important to know if the project will be time and materials, fixed fee, or if a retainer is to be paid for delivery of ongoing services. In the latter instance, deliverables should have been defined that are included as part of the retainer.

I hope this helps and please let me know if I can answer any further questions.

Joel